Incorrect use of privileged APIs to steal victim's account in polonel/trudesk

Valid

Reported on

Jun 6th 2022


Description

When user can edit their profile --> Incorrect use of privileged APIs to steal victim's account

Proof of Concept


1. Login with hacker's account, get the request when edit profile
2. Replace the endpoint and email with victim's one
3. Send the request.
POC video:
https://drive.google.com/file/d/1fhauDTJ0sbDSMoAuRydHE-60wC8XE_ic/view?usp=sharing

Impact

  • Hacker can access all accounts that he know the mail (leak in message page)
  • Dangerous for all users
  • Hacker can steal an admin's account --> get the highest permission
We are processing your report and will contact the polonel/trudesk team within 24 hours. a year ago
We have contacted a member of the polonel/trudesk team and are waiting to hear back a year ago
polonel/trudesk maintainer has acknowledged this report a year ago
Chris assigned a CVE to this report a year ago
Chris validated this vulnerability a year ago
Lê Ngọc Hoa has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chris
a year ago

Maintainer


This has been fixed in v1.2.4. I will update this report once released.

Chris
a year ago

Maintainer


Please note that if the user has the accounts update permission they can update any user account as per design. This is usually reserved for Admin or Support roles that may need the user's password reset.

Although your report was indeed valid, it only worked if the "hacker" user had permission to update accounts anyway. It did however lead to an issue where the permissions were needed to update your own profile which in itself was a vulnerability. This is what has been fixed.

Lê Ngọc Hoa
a year ago

Researcher


I got that! Thank you @maintainer!

We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the polonel/trudesk team. We will try again in 10 days. a year ago
Chris marked this as fixed in 1.2.4 with commit 83fd5a a year ago
Chris has been awarded the fix bounty
This vulnerability will not receive a CVE
users.js#L598-L631 has been validated
users.js#L416-L571 has been validated
to join this conversation