Lucene search

GitHub Advisory DatabaseGHSA-MQ5Q-GPGV-PWXW

HistoryDec 28, 2022 - 3:30 p.m.

usememos/memos Incorrect Use of Privileged APIs vulnerability

2022-12-2815:30:46

CWE-648

GitHub Advisory Database

github.com

usememos

memos

api

vulnerability

unauthorized access

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

21.8%

JSON

In usememos/memos 0.9.0 and prior, a user can archive any private memos, delete any shortcut, and edit any shortcut from other users via API.

Affected configurations

Vulners

Node

usememosmemosRange≤0.9.0

VendorProductVersionCPE
usememosmemos*cpe:2.3:a:usememos:memos:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
usememos	memos	*	cpe:2.3:a:usememos:memos::::::::

References

github.com/advisories/GHSA-mq5q-gpgv-pwxw

github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53

huntr.dev/bounties/b03f6a9b-e49b-42d6-a318-1d7afd985873

nvd.nist.gov/vuln/detail/CVE-2022-4805

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

21.8%

JSON

Related for GHSA-MQ5Q-GPGV-PWXW