privilege escalation : Low access user can view Admin PRIVATE POST by using PIN functionality in usememos/memos


Reported on

Dec 29th 2022


Due to the privilege escalation issue Low access user can view Admin PRIVATE POST by abusing PIN functionality. PIN functionality is used to pin any post in TOP , by using the Low user Attacker can View the other & high privilege user PRIVATE POST , as per the flow its not PINNING any post in top for other but its disclose the POST DATA in response

Proof of Concept

1. Login to the Account with low privilege user [jack]
2. try to pin any own post
3. capture the request in burp .
4. and replace the  id in request with admin ID or brute force  it , in organizer endpoint    [/api/memo/1032/organizer ]
5. send the request , we can see ADMIN PRIVATE post DATA in response .

poc video:

Vulnerable Request:

POST /api/memo/1032/organizer HTTP/2
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 15
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers


POC: alt text


Attacker can view other high privilege user Admin PRIVATE POST by using PIN functionality

We are processing your report and will contact the usememos/memos team within 24 hours. 9 months ago
We have contacted a member of the usememos/memos team and are waiting to hear back 9 months ago
Anil Bhatt modified the report
9 months ago
Anil Bhatt modified the report
9 months ago
Anil Bhatt
5 months ago


Hello ,

I have retested the issue on latest version "memos v0.12.2" , issue is not fixed yet POC: alt text

correctroadh modified the Severity from High (8.8) to High (8.8) 3 months ago
correctroadh validated this vulnerability 3 months ago
Anil Bhatt has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
correctroadh marked this as fixed in 0.13.2 with commit c9aa2e 3 months ago
correctroadh has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Sep 1st 2023
memo_organizer.go#L9 has been validated
Anil Bhatt
2 months ago


Hello Team ,

The issue has been fixed in new version . tested in 0.14.2

POC: alt text

any updates for the CVE ? as it not assigned yet .


correctroadh published this vulnerability 21 days ago
to join this conversation