Privilege vulnerability at API Change Password in usememos/memos

Valid

Reported on

Dec 21st 2022


Description

There is a vulnerability at API Change password.

I use API PATCH /api/user/x to get user's information and change their password. With x is the user's id, which are numbers in ascending or descending order

Proof of Concept

1. Access to the demo website https://demo.usememos.com/

2. Use the demohero user or you can create new users.

3. In this scenario, I use my new account (chuchu - id 104). Use Burp Suite (Or Postman) to call API change password and edit the body of request, field id from 104 to 101 (101 is demohero's id), this is just an example and we can do the same to all user's accounts there.

4. Send request and it is successful. Now you can see the user's information and the password is also changed.

5. Try to re-login again to check it. It works.

#Link PoC: https://drive.google.com/file/d/1_Z6NH9-hFo-Q4nqqtjE6bZeOnv1yR9kH/view?usp=sharing

Impact

Stealing other user's accounts easily and using their users. Stealing all other user's information.

We are processing your report and will contact the usememos/memos team within 24 hours. 19 days ago
Chuu modified the report
19 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 18 days ago
usememos/memos maintainer validated this vulnerability 18 days ago
Chuu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.0 with commit dca35b 17 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 17 days ago
to join this conversation