Privilege vulnerability at API Change Password in usememos/memos
Valid
Reported on
Dec 21st 2022
Description
There is a vulnerability at API Change password.
I use API PATCH /api/user/x to get user's information and change their password. With x is the user's id, which are numbers in ascending or descending order
Proof of Concept
1. Access to the demo website https://demo.usememos.com/
2. Use the demohero user or you can create new users.
3. In this scenario, I use my new account (chuchu - id 104). Use Burp Suite (Or Postman) to call API change password and edit the body of request, field id from 104 to 101 (101 is demohero's id), this is just an example and we can do the same to all user's accounts there.
4. Send request and it is successful. Now you can see the user's information and the password is also changed.
5. Try to re-login again to check it. It works.
#Link PoC: https://drive.google.com/file/d/1_Z6NH9-hFo-Q4nqqtjE6bZeOnv1yR9kH/view?usp=sharing
Impact
Stealing other user's accounts easily and using their users. Stealing all other user's information.
We are processing your report and will contact the
usememos/memos
team within 24 hours.
5 months ago
Chuu modified the report
5 months ago
We have contacted a member of the
usememos/memos
team and are waiting to hear back
5 months ago
The researcher's credibility has increased: +7
to join this conversation
