Critical Account Takeover and Privilege Escalation in usememos/memos


Reported on

Dec 22nd 2022


Critical account takeover and privilege escalation vulnerability allow a low privilege user to take over admin account by using change password functionality.

In a normal user, select change password alt text Change the user ID to 1 as it is the admin account user ID alt text Admin account is taken over immediately alt text


Low privilege user could take over admin account

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
We have contacted a member of the usememos/memos team and are waiting to hear back a year ago
STEVEN validated this vulnerability a year ago
michaellok001 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.0 with commit dca35b a year ago
STEVEN has been awarded the fix bounty
This vulnerability has now been published a year ago
user.go#L1-L104 has been validated
a year ago


why is this rejected?

to join this conversation