Weak Password Policy in polonel/trudesk


Reported on

May 17th 2022


I would like to let you know about the password management issue.

Proof of Concept

1- Go to your Profile or https://docker.trudesk.io/profile

2- Give a password as simple as 12345678.

You can see you will be password has been changed and there is no strong enforcement.


This password can easily be cracked using dictionary attack


Use complex password management.

We are processing your report and will contact the polonel/trudesk team within 24 hours. a year ago
Chris assigned a CVE to this report a year ago
Chris validated this vulnerability a year ago

This has been fixed in v1.2.2. I will update this report once it has been released.

Vishal Vishwakarma has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chris marked this as fixed in 1.2.2 with commit 13dd6c a year ago
Chris has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation