Weak Password Policy in polonel/trudesk

Valid

Reported on

May 17th 2022


Description

I would like to let you know about the password management issue.

Proof of Concept

1- Go to your Profile or https://docker.trudesk.io/profile

2- Give a password as simple as 12345678.

You can see you will be password has been changed and there is no strong enforcement.

Impact

This password can easily be cracked using dictionary attack

Fix:

Use complex password management.

We are processing your report and will contact the polonel/trudesk team within 24 hours. a month ago
Chris Brame assigned a CVE to this report a month ago
Chris Brame validated this vulnerability a month ago

This has been fixed in v1.2.2. I will update this report once it has been released.

Vishal Vishwakarma has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chris Brame confirmed that a fix has been merged on 13dd6c a month ago
Chris Brame has been awarded the fix bounty
to join this conversation