Critical Account Takeover and Privilege Escalation in usememos/memos


Reported on

Dec 22nd 2022


Critical account takeover and privilege escalation vulnerability allow a low privilege user to take over admin account by using change password functionality.

In a normal user, select change password alt text Change the user ID to 1 as it is the admin account user ID alt text Admin account is taken over immediately alt text


Low privilege user could take over admin account

We are processing your report and will contact the usememos/memos team within 24 hours. 18 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 17 days ago
STEVEN validated this vulnerability 17 days ago
mmmmmcheung has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.0 with commit dca35b 17 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 17 days ago
user.go#L1-L104 has been validated
10 days ago


why is this rejected?

to join this conversation