Able to assign HOST role to new User in usememos/memos

Valid

Reported on

Dec 27th 2022


Description

As per the functionality we only can add user role as a "USER" in account Due to the no server side valaditon on "role" parameter , we can add new member as a "HOST" role with all HOST users privilege

Proof of Concept

  1. while adding new user intercept the request in burp
  2. change the POST body role paramater value as "HOST"
  3. the newaly added user have HOST users privilege

poc

refer ss/Video POC : https://drive.google.com/drive/folders/1CqD7SKaBMx3ms7Px3vKFR-9puI_a0V-a?usp=sharing

Impact

Due to the issue , we can assign role as HOST to user . without having functionality.

after new role we can Delete old HOST role Account . example: demohero alt text

We are processing your report and will contact the usememos/memos team within 24 hours. 13 days ago
Anil Bhatt modified the report
13 days ago
STEVEN validated this vulnerability 12 days ago
Anil Bhatt has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit 3556ae 12 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 12 days ago
to join this conversation