An attacker can make a private memo into a public memo in order to view it. All the attacker needs to know is the memo ID and they can make a `PATCH` request to `/api/memo/` with the following request data:
`{“id”:,”visibility”:”PUBLIC”,”resourceIdList”:[]}`
Then the attacker can visit the memo URL & view the memo data of the victim. The memo URL format is similar to this: https://demo.usememos.com/m/.
# Reproduction Steps
“`
1. Create two accounts: testdemouser1 & testdemouser2
2. On testdemouser1, create a private memo
3. From the testdemouser2 account, make a PATCH request to the `/api/memo` endpoint with the request data mentioned earlier, filling out the appropriate memo ID parameters
4. Then from testdemouser2, access the memo. You should now be able to access the memo which was meant to be private.
“`Read More