The vulnerability lies in the set_attr() function. Notice that, the untrusted data here is selected_option, which is restricted with two options by the front-end, but freely in the backend.

The probable unsafe method that selected_option falls into is setattr(), which is Python built-in function.

So I did a Google search with python setattr() user-controller attributes vulnerability and found this link.

This challenge is vulnerable to mass_assignment vulnerability and thanks to the hasattr() and getattr() functions, we could traverse to the from a memo instance to its class, which able to access the shared collections.

Payload:

1
selected_option=__class__.collections.<secret-uuid>.password
2
edit_data=<sha256-of-new-password>
3
password=<your-memo-password>