Admin is able to ARCHIVE OWN Account leads to Deactivate ADMIN Account in usememos/memos


Reported on

Dec 29th 2022


As fer the Flow Admin can't ARCHIVE OWN account .

i was able to ARCHIVE ADMIN OWN Account by intercept the request and change ID Value to Admin.

which leads to ARCHIVED the ADMIN Account , :/ Please Restored it

Might Be possible to DELETE Admin Account too , after ARCHIVE Account it's not accessable to test further ,

1.  Login to Admin Account .
2.  Go to Setting , click on user list 
3. click on ARCHIVE any user 
4 . intercept The request in burp 
5. Change the user ID to Admin ID
6 . and forword the request.
7. ADMIN Account is ARCHIVED by OWN , as we Dont have permission  to ARCHIVE  own Admin Account. 


alt text

after Attack: alt text

not able to Access it again :)

alt text

PATCH /api/user/101 HTTP/2
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 33
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers



Due to This Admin can ARCHIVE & Delete OWN Account.

We are processing your report and will contact the usememos/memos team within 24 hours. 11 days ago
Anil Bhatt modified the report
11 days ago
Anil Bhatt modified the report
10 days ago
STEVEN validated this vulnerability 10 days ago
Anil Bhatt has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit 3556ae 10 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 10 days ago
to join this conversation