Access all Private Memos by unauthorized user in usememos/memos

Valid

Reported on

Dec 23rd 2022


Description

After login , I create a new memo and post it then i tried to edit it So in editing POST request you can find the memo id in POST data and in the URL if you change it to any private memo you can access it Also you can change the private memo visibility status and content .

Proof of Concept

https://drive.google.com/file/d/13cZ4p-rVimkO0XFDpYBCfT53kivWeuTW/view?usp=sharing

Impact

Access all private memos and edit them

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the usememos/memos team and are waiting to hear back a year ago
STEVEN validated this vulnerability a year ago
mohamedabdelhady933 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mohamed
a year ago

Researcher


Can you assign it as CVE !

STEVEN
a year ago

Maintainer


Sorry, I cannot reproduce in v0.9.0. Could you try it again on demo site?

Mohamed
a year ago

Researcher


Yes , I get it again in 0.9.0 on the current demo site .

Retesting POC video : https://drive.google.com/file/d/1bThXxhkCiWidCaDtEwEuabmwViwg2LK7/view?usp=sharing

STEVEN
a year ago

Maintainer


Thanks!

STEVEN marked this as fixed in 0.9.1 with commit 3556ae a year ago
STEVEN has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation