The trudesk application allows large characters to insert in the input field "Full Name" on the signup field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in polonel/trudesk

Valid

Reported on

May 14th 2022


POC:

  1. go to signup form: http://127.0.0.1:8118/signup
  2. Fill the Full Name input field with huge characters(more than lakhs or crores)
  3. After created the account, check the admin panel: http://127.0.0.1:8118/accounts, go to Accounts --> customers
  4. The admin panel will be flooded with our payload

POC Screenshot:

https://ibb.co/2Nvj908

POC video:

https://www.mediafire.com/file/vng5aufoydb6hl5/trudesk-poc.mov/file

Impact

  1. It can leads to Senial of service attack
We are processing your report and will contact the polonel/trudesk team within 24 hours. 8 days ago
polonel/trudesk maintainer has acknowledged this report 8 days ago
Chris Brame assigned a CVE to this report 8 days ago
Chris Brame validated this vulnerability 8 days ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chris Brame confirmed that a fix has been merged on 87e231 8 days ago
Chris Brame has been awarded the fix bounty
to join this conversation