A user can edit private memos from other users in usememos/memos

Valid

Reported on

Dec 21st 2022


Description

It is possible for a user to edit private memos from other users and also change their visibility, making them public. Also the user could change the visibility from Public to Private or viceversa.

Steps to Reproduce

  1. Log in as a user A (here called "ile.maricel").
  2. In another browser or private session, log in as user B (here called "ileana.mariceel")
  3. With user A, create a memo: "Test". See that default visibility is PRIVATE ("only visible by you").

Figure 1 Memo ID: 1.

  1. Copy the Cookie from user B.
  2. With user A, select Edit option for the created memo and edit the phrase.
  3. When selecting Save, intercept the request with a proxy and modify the Cookie by the one from user B.
  4. Edit also visibility from PRIVATE to PUBLIC:

Figure 2

PATCH /api/memo/1 
Host: localhost:5230
Content-Type: application/json
Cookie: memos_session=MTY3MTU3OTA0MXxEdi1CQkFFQ180SUFBUkFCRUFBQUh2LUNBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBSUFCQT09fOcAjJ2GPp5-cAXssL0lYKwcUk2hOR1JVz35py1Cn8sK
Connection: close

{"id":1,"content":"Test edited by another user","visibility":"PUBLIC","resourceIdList":[]}
  1. Note that memo from user A is public now.
  2. Repeat the same steps changing from PUBLIC to PRIVATE.

Impact

This vulnerability allows users to affect Confidentiality: they should not edit other's memos and make them public; it also affects Integrity of the component as the user modifies information; and lastly, the user could also turn a public memo into private by changing its visibility, without permission so it affects Availability too.

We are processing your report and will contact the usememos/memos team within 24 hours. 20 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 19 days ago
STEVEN validated this vulnerability 17 days ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.0 with commit dca35b 17 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 17 days ago
to join this conversation