-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from missing authorization checks in multiple CRUD operations. The patch adds explicit creatorID verification in handlers for memo, resource, and shortcut management. Key indicators include: 1) Removal of CreatorID from request bindings (json:"-") 2) Addition of explicit creatorID checks after object retrieval 3) Restructuring of update/delete operations to first verify ownership. The vulnerable functions were route handlers that previously trusted client-provided IDs without verifying the authenticated user's permissions on the target resource.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/usememos/memos | go | <= 0.9.0 | 0.9.1 |