Access all Private Memos by unauthorized user in usememos/memos

Valid

Reported on

Dec 23rd 2022

Description

After login , I create a new memo and post it then i tried to edit it So in editing POST request you can find the memo id in POST data and in the URL if you change it to any private memo you can access it Also you can change the private memo visibility status and content .

Proof of Concept

https://drive.google.com/file/d/13cZ4p-rVimkO0XFDpYBCfT53kivWeuTW/view?usp=sharing

Impact

Access all private memos and edit them

We are processing your report and will contact the usememos/memos team within 24 hours. 17 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 16 days ago
STEVEN validated this vulnerability 13 days ago
Mohamed Abdelhady has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mohamed
13 days ago

Researcher

Can you assign it as CVE !

STEVEN
13 days ago

Maintainer

Sorry, I cannot reproduce in v0.9.0. Could you try it again on demo site?

Mohamed
13 days ago

Researcher

Yes , I get it again in 0.9.0 on the current demo site .

Retesting POC video : https://drive.google.com/file/d/1bThXxhkCiWidCaDtEwEuabmwViwg2LK7/view?usp=sharing

STEVEN
13 days ago

Maintainer

Thanks!

STEVEN marked this as fixed in 0.9.1 with commit 3556ae 12 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 12 days ago
to join this conversation