#VU87935 Authorization bypass through user-controlled key in memos - CVE-2022-4806


Vulnerability identifier: #VU87935

Vulnerability risk:

CVSSv4.0: 0 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:]

CVE-ID: CVE-2022-4806

CWE-ID: CWE-639

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
memos
Web applications / Modules and components for CMS

Vendor: memos

Description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to authorization bypass through user-controlled key. A remote user can bypass implemented security restrictions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

memos: 0.0.1 - 0.9.0

External links
https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53
https://huntr.dev/bounties/2c7101bc-e6d8-4cd0-9003-bc8d86f4e4be

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Dell Cloud Tiering Appliance/VE update for third-party components
SUSE update for gdb
SUSE update for gdb
SUSE update for gdb
Multiple vulnerabilities in memos