Reset API any user via IDOR in usememos/memos

Valid

Reported on

Dec 22nd 2022


Description

Reset API any user without taking action from him via IDOR

Proof of Concept

1- Create a user

2- Go to setting

3- Open Burp Suite to object to the requisition

4- Click on it Reset API

5- This is the body request > {"id":101,"resetOpenId":true}

6- When changing the "id", for example "102", and sending the request, we notice that the request has been approved and the API is reset with showing the new API to the user, and this is also something that should not happen be shown

More clarification

I have a user named TEST, when I make a Reset API for him, I will intercept the request, and I will notice that I have a parameter in the body request with the name "id=101". When it is changed to any number, for example "102", the Reset API will happen to the user whose "id" is 102

Impact

An attacker can make a Reset API for any user

We are processing your report and will contact the usememos/memos team within 24 hours. 18 days ago
STEVEN validated this vulnerability 17 days ago
samirwaleed has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.0 with commit dca35b 17 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 17 days ago
to join this conversation