Privilege vulnerability at API Change Password in usememos/memos


Reported on

Dec 21st 2022


There is a vulnerability at API Change password.

I use API PATCH /api/user/x to get user's information and change their password. With x is the user's id, which are numbers in ascending or descending order

Proof of Concept

1. Access to the demo website

2. Use the demohero user or you can create new users.

3. In this scenario, I use my new account (chuchu - id 104). Use Burp Suite (Or Postman) to call API change password and edit the body of request, field id from 104 to 101 (101 is demohero's id), this is just an example and we can do the same to all user's accounts there.

4. Send request and it is successful. Now you can see the user's information and the password is also changed.

5. Try to re-login again to check it. It works.

#Link PoC:


Stealing other user's accounts easily and using their users. Stealing all other user's information.

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
Chuu modified the report
a year ago
We have contacted a member of the usememos/memos team and are waiting to hear back a year ago
usememos/memos maintainer validated this vulnerability a year ago
uonghoangminhchau has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.0 with commit dca35b a year ago
STEVEN has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation