Critical Account Takeover and Privilege Escalation in usememos/memos

Valid

Reported on

Dec 22nd 2022


Description

Critical account takeover and privilege escalation vulnerability allow a low privilege user to take over admin account by using change password functionality.

In a normal user, select change password alt text Change the user ID to 1 as it is the admin account user ID alt text Admin account is taken over immediately alt text

Impact

Low privilege user could take over admin account

We are processing your report and will contact the usememos/memos team within 24 hours. 18 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 17 days ago
STEVEN validated this vulnerability 17 days ago
mmmmmcheung has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.0 with commit dca35b 17 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 17 days ago
user.go#L1-L104 has been validated
mmmmmcheung
10 days ago

Researcher


why is this rejected?

to join this conversation