ghsa

An Insufficient Granularity of Access Control in usememos/memos prior to 0.9.0 can allow an attacker to delete a memo from the archives.

In usememos/memos 0.9.0 and prior, an unauthorized user can access any private memo by URL hacking a memo on the editing screen.

An Improper Access Control vulnerability in usememos/memos 0.9.0 and prior can result in a user deleting others' public and private memos.

usememos/memos 0.9.0 and prior is vulnerable to full account takeover via changing user name, email address, and display name.

In usememos/memos 0.9.0 and prior, a user can view any content from private memos from other users via the API.

Comparison of Object References Instead of Object Contents in GitHub repository usememos/memos 0.9.0 and prior.

In usememos/memos 0.9.0 and prior, users can edit and delete all other users' shortcuts.

In usememos/memos 0.9.0 and prior, a user with login permission can delete all notes of the whole application via `API DELETE https://demo.usememos.com/api/memo/$idnote`. The vulnerability will lose all user notes data throughout the system, causing damage to user data.

usememos/memos 0.9.0 and prior is vulnerable to Improper Verification of Source of a Communication Channel.

In usememos/memos 0.9.0 and prior, an attacker can delete other users' posts via post id, which can be done via brute force.