Delete all note of all user in application in usememos/memos

Valid

Reported on

Dec 26th 2022

Description

A user with login permission can delete all notes of the whole application via API DELETE https://demo.usememos.com/api/memo/$idnote

Proof of Concept

Link: https://drive.google.com/file/d/1P0MvqadCdTo1yxK9VBkm5ntwBvJMSZa8/view?usp=sharing

Impact

The vulnerability will lose all user notes data throughout the system. Causing damage to user data.

We are processing your report and will contact the usememos/memos team within 24 hours. 14 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 13 days ago
STEVEN validated this vulnerability 12 days ago
K41 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit 3556ae 12 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 12 days ago
to join this conversation