A user can edit private memos from other users in usememos/memos


Reported on

Dec 21st 2022


It is possible for a user to edit private memos from other users and also change their visibility, making them public. Also the user could change the visibility from Public to Private or viceversa.

Steps to Reproduce

  1. Log in as a user A (here called "ile.maricel").
  2. In another browser or private session, log in as user B (here called "ileana.mariceel")
  3. With user A, create a memo: "Test". See that default visibility is PRIVATE ("only visible by you").

Figure 1 Memo ID: 1.

  1. Copy the Cookie from user B.
  2. With user A, select Edit option for the created memo and edit the phrase.
  3. When selecting Save, intercept the request with a proxy and modify the Cookie by the one from user B.
  4. Edit also visibility from PRIVATE to PUBLIC:

Figure 2

PATCH /api/memo/1 
Host: localhost:5230
Content-Type: application/json
Connection: close

{"id":1,"content":"Test edited by another user","visibility":"PUBLIC","resourceIdList":[]}
  1. Note that memo from user A is public now.
  2. Repeat the same steps changing from PUBLIC to PRIVATE.


This vulnerability allows users to affect Confidentiality: they should not edit other's memos and make them public; it also affects Integrity of the component as the user modifies information; and lastly, the user could also turn a public memo into private by changing its visibility, without permission so it affects Availability too.

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the usememos/memos team and are waiting to hear back a year ago
STEVEN validated this vulnerability a year ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.0 with commit dca35b a year ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability a year ago
to join this conversation