Admin is able to ARCHIVE OWN Account leads to Deactivate ADMIN Account in usememos/memos

Valid

Reported on

Dec 29th 2022


Description

As fer the Flow Admin can't ARCHIVE OWN account .

i was able to ARCHIVE ADMIN OWN Account by intercept the request and change ID Value to Admin.

which leads to ARCHIVED the ADMIN Account , :/ Please Restored it

Might Be possible to DELETE Admin Account too , after ARCHIVE Account it's not accessable to test further ,

1.  Login to Admin Account .
2.  Go to Setting , click on user list 
3. click on ARCHIVE any user 
4 . intercept The request in burp 
5. Change the user ID to Admin ID
6 . and forword the request.
7. ADMIN Account is ARCHIVED by OWN , as we Dont have permission  to ARCHIVE  own Admin Account. 

POC:  https://drive.google.com/file/d/1zYOAfe1tZr2K0IKhy7ZU7kgpB_O-s48j/view?usp=share_link

alt text

after Attack: alt text

not able to Access it again :)

alt text

PATCH /api/user/101 HTTP/2
Host: demo.usememos.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 33
Referer: https://demo.usememos.com/?shortcutId=10
Origin: https://demo.usememos.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{"id":101,"rowStatus":"ARCHIVED"}

Impact

Due to This Admin can ARCHIVE & Delete OWN Account.

We are processing your report and will contact the usememos/memos team within 24 hours. 11 days ago
Anil Bhatt modified the report
11 days ago
Anil Bhatt modified the report
10 days ago
STEVEN validated this vulnerability 10 days ago
Anil Bhatt has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit 3556ae 10 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 10 days ago
to join this conversation