Delete all note of all user in application in usememos/memos

Valid

Reported on

Dec 26th 2022


Description

A user with login permission can delete all notes of the whole application via API DELETE https://demo.usememos.com/api/memo/$idnote

Proof of Concept

Link: https://drive.google.com/file/d/1P0MvqadCdTo1yxK9VBkm5ntwBvJMSZa8/view?usp=sharing

Impact

The vulnerability will lose all user notes data throughout the system. Causing damage to user data.

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the usememos/memos team and are waiting to hear back a year ago
STEVEN validated this vulnerability a year ago
trumthiphi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit 3556ae a year ago
STEVEN has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation