Archive any post (public / private) using IDOR in usememos/memos

Valid

Reported on

Dec 24th 2022


Description

It was observed that we can archive any users post using archive option by changing the post id.

1> Created user with lolwa username.
2> Posted a post and identified it's post id 1007.
3> Now get the post id from demo user i.e 1006.
4> Now click on archive for post id 1007 from user lolwa.
5> Intercept the request and changed the post id 1007 to 1006 (1006 is post id from demo user).
6> it was observed that i can archive any users post by changing the post id.

Proof of Concept

https://drive.google.com/drive/folders/1If4VFFxHecgKPOy8K1mBoVNTzyvib_nW?usp=share_link

Impact

We can archive any users post (public / private).

Occurrences

We are processing your report and will contact the usememos/memos team within 24 hours. 5 months ago
We have contacted a member of the usememos/memos team and are waiting to hear back 5 months ago
STEVEN validated this vulnerability 4 months ago
samsamurai has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit 3556ae 4 months ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 4 months ago
memo.go#L1-L94 has been validated
to join this conversation