Reset API any user via IDOR in usememos/memos

Valid

Reported on

Dec 24th 2022

Description

Reset API any user without taking action from him via IDOR

Proof of Concept

1- Create a user

2- Go to setting

3- Open Burp Suite to object to the requisition

4- Click on it Reset API

5- Note that the endpoint is in the request PATCH/api/user/102

6- When the number that is in endpoint 102 changes to 103, we will notice that the Reset API has been made for other users

Video

https://drive.google.com/file/d/1beJs4SkGjHd8w94cSBBXE2-yGXvmxaU7/view?usp=share_link

Impact

An attacker can make a Reset API for any user

We are processing your report and will contact the usememos/memos team within 24 hours. 16 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 15 days ago
samirwaleed modified the report
13 days ago
STEVEN validated this vulnerability 12 days ago
samirwaleed has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit 3556ae 12 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 12 days ago
to join this conversation