IDOR to delete memo from archives in usememos/memos

Valid

Reported on

Dec 28th 2022

Description

Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.

Proof of Concept

1) Login into your account at demo.usememos.com
2) Turn on your burpsuite proxy
3) Go to archived memos , delete one archived memo and  capture the request in your burpsuite
4) Send this request to the repeater and drop the current request
5) Change the Memo ID to victims Memo ID and forward the request 
6) You will see that the victims archived memo has been deleted

POC video: https://drive.google.com/file/d/1iiQTBpcwnkXTvmNSdk25wIpBuZ8iRfRd/view?usp=sharing




# Impact

An attacker is able to delete victims archived memo's through an IDOR and cause huge impact on user "integrity"

Occurrences

ArchivedMemo.tsx L1-L75

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

STEVEN validated this vulnerability a year ago

Nehal Pillai has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

STEVEN marked this as fixed in 0.9.1 with commit 3556ae a year ago

STEVEN has been awarded the fix bounty

This vulnerability has been assigned a CVE

STEVEN published this vulnerability a year ago

ArchivedMemo.tsx#L1-L75 has been validated

to join this conversation