Incorrect use of privileged APIs to steal victim's account in polonel/trudesk

Valid

Reported on

Jun 6th 2022


Description

When user can edit their profile --> Incorrect use of privileged APIs to steal victim's account

Proof of Concept


1. Login with hacker's account, get the request when edit profile
2. Replace the endpoint and email with victim's one
3. Send the request.
POC video:
https://drive.google.com/file/d/1fhauDTJ0sbDSMoAuRydHE-60wC8XE_ic/view?usp=sharing

Impact

  • Hacker can access all accounts that he know the mail (leak in message page)
  • Dangerous for all users
  • Hacker can steal an admin's account --> get the highest permission
We are processing your report and will contact the polonel/trudesk team within 24 hours. 23 days ago
We have contacted a member of the polonel/trudesk team and are waiting to hear back 22 days ago
polonel/trudesk maintainer has acknowledged this report 22 days ago
Chris Brame assigned a CVE to this report 21 days ago
Chris Brame validated this vulnerability 21 days ago
Lê Ngọc Hoa has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chris Brame
21 days ago

Maintainer


This has been fixed in v1.2.4. I will update this report once released.

Chris Brame
21 days ago

Maintainer


Please note that if the user has the accounts update permission they can update any user account as per design. This is usually reserved for Admin or Support roles that may need the user's password reset.

Although your report was indeed valid, it only worked if the "hacker" user had permission to update accounts anyway. It did however lead to an issue where the permissions were needed to update your own profile which in itself was a vulnerability. This is what has been fixed.

Lê Ngọc Hoa
21 days ago

Researcher


I got that! Thank you @maintainer!

We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. 18 days ago
We have sent a second fix follow up to the polonel/trudesk team. We will try again in 10 days. 11 days ago
Chris Brame confirmed that a fix has been merged on 83fd5a 10 days ago
Chris Brame has been awarded the fix bounty
users.js#L598-L631 has been validated
users.js#L416-L571 has been validated
to join this conversation