Weak Password Policy in polonel/trudesk
May 17th 2022
I would like to let you know about the password management issue.
Proof of Concept
1- Go to your Profile or https://docker.trudesk.io/profile
2- Give a password as simple as 12345678.
You can see you will be password has been changed and there is no strong enforcement.
This password can easily be cracked using dictionary attack
Use complex password management.
Chris validated this vulnerability a year ago
This has been fixed in v1.2.2. I will update this report once it has been released.
Vishal Vishwakarma has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
to join this conversation