Incorrect use of privileged APIs to steal victim's account in polonel/trudesk

Valid

Reported on

Jun 6th 2022

Description

When user can edit their profile --> Incorrect use of privileged APIs to steal victim's account

Proof of Concept


1. Login with hacker's account, get the request when edit profile
2. Replace the endpoint and email with victim's one
3. Send the request.
POC video:
https://drive.google.com/file/d/1fhauDTJ0sbDSMoAuRydHE-60wC8XE_ic/view?usp=sharing

Impact

Hacker can access all accounts that he know the mail (leak in message page)
Dangerous for all users
Hacker can steal an admin's account --> get the highest permission

Occurrences

users.js L416-L571

users.js L598-L631

We are processing your report and will contact the polonel/trudesk team within 24 hours. a year ago

We have contacted a member of the polonel/trudesk team and are waiting to hear back a year ago

A polonel/trudesk maintainer has acknowledged this report a year ago

Chris assigned a CVE to this report a year ago

Chris validated this vulnerability a year ago

Lê Ngọc Hoa has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Chris

commented a year ago

Maintainer

This has been fixed in v1.2.4. I will update this report once released.

Chris

commented a year ago

Maintainer

Please note that if the user has the accounts update permission they can update any user account as per design. This is usually reserved for Admin or Support roles that may need the user's password reset.

Although your report was indeed valid, it only worked if the "hacker" user had permission to update accounts anyway. It did however lead to an issue where the permissions were needed to update your own profile which in itself was a vulnerability. This is what has been fixed.