CVE-2022-4804 - Unauthorized Attacker Can Change Visibility Status of Victim's Memos

Description

An attacker can make a private memo into a public memo in order to view it. All the attacker needs to know is the memo ID and they can make a PATCH request to /api/memo/<memo ID> with the following request data:

{"id":<MEMO ID>,"visibility":"PUBLIC","resourceIdList":[]}

Then the attacker can visit the memo URL & view the memo data of the victim. The memo URL format is similar to this: https://demo.usememos.com/m/<MEMO ID>.

Reproduction Steps

1. Create two accounts: testdemouser1 & testdemouser2
2. On testdemouser1, create a private memo
3. From the testdemouser2 account, make a PATCH request to the /api/memo<memo ID> endpoint with the request data mentioned earlier, filling out the appropriate memo ID parameters
4. Then from testdemouser2, access the memo. You should now be able to access the memo which was meant to be private.

Reference - https://huntr.dev/bounties/4ee48a1e-6332-4d95-a360-9c392643c533/