Lucene search
UonghoangminhchauB908377F-A61B-432C-8E6A-C7498DA69788HistoryDec 21, 2022 - 7:26 a.m.
Privilege vulnerability at API Change Password
2022-12-2107:26:38
uonghoangminhchau
www.huntr.dev
13
vulnerability
api
privilege
access
user's id
burp suite
postman
change password
unauthorized access
EPSS
0.001
Percentile
30.8%
Description
There is a vulnerability at API Change password.
I use API PATCH /api/user/x to get user’s information and change their password. With x is the user’s id, which are numbers in ascending or descending order
Proof of Concept
1. Access to the demo website https://demo.usememos.com/
2. Use the demohero user or you can create new users.
3. In this scenario, I use my new account (chuchu - id 104). Use Burp Suite (Or Postman) to call API change password and edit the body of request, field id from 104 to 101 (101 is demohero’s id), this is just an example and we can do the same to all user’s accounts there.
4. Send request and it is successful. Now you can see the user’s information and the password is also changed.
5. Try to re-login again to check it. It works.
#Link PoC: https://drive.google.com/file/d/1_Z6NH9-hFo-Q4nqqtjE6bZeOnv1yR9kH/view?usp=sharing
Related
cvelist
cvelist
CVE-2022-4687 Incorrect Use of Privileged APIs in usememos/memos
2022-12-23 00:00:00
prion
prion
Code injection
2022-12-23 12:15:00
osv
osv
CVE-2022-4687
2022-12-23 12:15:11
usememos/memos makes Incorrect Use of Privileged APIs
2022-12-23 12:30:25
cve
cve
CVE-2022-4687
2022-12-23 12:15:11
veracode
veracode
Privilege Escalation
2023-01-02 16:50:25
nvd
nvd
CVE-2022-4687
2022-12-23 12:15:11
github
github
usememos/memos makes Incorrect Use of Privileged APIs
2022-12-23 12:30:25