CVE-2022-4796

Name of the Vulnerable Software and Affected Versions usememos/memos versions prior to 0.9.1

Description The issue involves the incorrect use of privileged APIs, allowing a user with login permission to delete all notes of the whole application. This can be achieved via the API endpoint "https://demo.usememos.com/api/memo/$idnote" using the DELETE method. The vulnerability can result in the loss of all user notes data throughout the system, causing damage to user data.

Recommendations For versions prior to 0.9.1, update to version 0.9.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the DELETE method for the /api/memo/$idnote API endpoint to prevent unauthorized deletion of notes.