Admin is able to ARCHIVE OWN Account leads to Deactivate ADMIN Account in usememos/memos

Valid

Reported on

Dec 29th 2022


Description

As fer the Flow Admin can't ARCHIVE OWN account .

i was able to ARCHIVE ADMIN OWN Account by intercept the request and change ID Value to Admin.

which leads to ARCHIVED the ADMIN Account , :/ Please Restored it

Might Be possible to DELETE Admin Account too , after ARCHIVE Account it's not accessable to test further ,

1.  Login to Admin Account .
2.  Go to Setting , click on user list 
3. click on ARCHIVE any user 
4 . intercept The request in burp 
5. Change the user ID to Admin ID
6 . and forword the request.
7. ADMIN Account is ARCHIVED by OWN , as we Dont have permission  to ARCHIVE  own Admin Account. 

POC:  https://drive.google.com/file/d/1zYOAfe1tZr2K0IKhy7ZU7kgpB_O-s48j/view?usp=share_link

alt text

after Attack: alt text

not able to Access it again :)

alt text

PATCH /api/user/101 HTTP/2
Host: demo.usememos.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 33
Referer: https://demo.usememos.com/?shortcutId=10
Origin: https://demo.usememos.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{"id":101,"rowStatus":"ARCHIVED"}

Impact

Due to This Admin can ARCHIVE & Delete OWN Account.

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
Anil Bhatt modified the report
a year ago
Anil Bhatt modified the report
a year ago
STEVEN validated this vulnerability a year ago
xo19do has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit 3556ae a year ago
STEVEN has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation