Reset API any user via IDOR in usememos/memos

Valid

Reported on

Dec 22nd 2022

Description

Reset API any user without taking action from him via IDOR

Proof of Concept

1- Create a user

2- Go to setting

3- Open Burp Suite to object to the requisition

4- Click on it Reset API

5- This is the body request > {"id":101,"resetOpenId":true}

6- When changing the "id", for example "102", and sending the request, we notice that the request has been approved and the API is reset with showing the new API to the user, and this is also something that should not happen be shown

More clarification

I have a user named TEST, when I make a Reset API for him, I will intercept the request, and I will notice that I have a parameter in the body request with the name "id=101". When it is changed to any number, for example "102", the Reset API will happen to the user whose "id" is 102

Impact

An attacker can make a Reset API for any user

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

STEVEN validated this vulnerability a year ago

samirwaleed has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

STEVEN marked this as fixed in 0.9.0 with commit dca35b a year ago

STEVEN has been awarded the fix bounty

This vulnerability has been assigned a CVE

STEVEN published this vulnerability a year ago

to join this conversation