usememos Memos Access Control Vulnerability in Attachment Management

A broken access control vulnerability has been identified in usememos Memos version 0.25.2. This issue allows low-privileged users to arbitrarily modify or delete attachments from other users' memos. The vulnerability arises because the application fails to validate the ownership of attachments when they are updated, enabling unauthorized manipulation of attachment visibility and existence.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of attachments, causing potential data loss, or misuse of attachment visibility settings, such as making private attachments public.

Reproduction

To reproduce this vulnerability, an authenticated user with low privileges can send a PATCH request to the '/api/v1/memos/{memoId}/attachments' endpoint. The request must include a 'name' field with the memo ID and an 'attachments' field listing the attachment IDs to be modified. If the 'attachments' list is left empty, the specified attachments will be removed from the memo and deleted from the server.

Remediation

Users can update to Memos version 0.25.3, which addresses this vulnerability by implementing proper authorization checks for attachment management.