Description

It is possible for a user to edit private memos from other users and also change their visibility, making them public. Also the user could change the visibility from Public to Private or viceversa.

Steps to Reproduce

1. Log in as a user A (here called "ile.maricel").
2. In another browser or private session, log in as user B (here called "ileana.mariceel")
3. With user A, create a memo: "Test". See that default visibility is PRIVATE ("only visible by you").

Figure 1 Memo ID: 1.

4. Copy the Cookie from user B.
5. With user A, select Edit option for the created memo and edit the phrase.
6. When selecting Save, intercept the request with a proxy and modify the Cookie by the one from user B.
7. Edit also visibility from PRIVATE to PUBLIC:

Figure 2

PATCH /api/memo/1 
Host: localhost:5230
Content-Type: application/json
Cookie: memos_session=MTY3MTU3OTA0MXxEdi1CQkFFQ180SUFBUkFCRUFBQUh2LUNBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBSUFCQT09fOcAjJ2GPp5-cAXssL0lYKwcUk2hOR1JVz35py1Cn8sK
Connection: close

{"id":1,"content":"Test edited by another user","visibility":"PUBLIC","resourceIdList":[]}

8. Note that memo from user A is public now.
9. Repeat the same steps changing from PUBLIC to PRIVATE.

Impact

This vulnerability allows users to affect Confidentiality: they should not edit other's memos and make them public; it also affects Integrity of the component as the user modifies information; and lastly, the user could also turn a public memo into private by changing its visibility, without permission so it affects Availability too.