The trudesk application allows large characters to insert in the input field "Full Name" on the signup field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in polonel/trudesk

Valid

Reported on

May 14th 2022

POC:

  1. go to signup form: http://127.0.0.1:8118/signup
  2. Fill the Full Name input field with huge characters(more than lakhs or crores)
  3. After created the account, check the admin panel: http://127.0.0.1:8118/accounts, go to Accounts --> customers
  4. The admin panel will be flooded with our payload

POC Screenshot:

https://ibb.co/2Nvj908

POC video:

https://www.mediafire.com/file/vng5aufoydb6hl5/trudesk-poc.mov/file

Impact

  1. It can leads to Senial of service attack
We are processing your report and will contact the polonel/trudesk team within 24 hours. 10 months ago
polonel/trudesk maintainer has acknowledged this report 10 months ago
Chris Brame assigned a CVE to this report 10 months ago
Chris Brame validated this vulnerability 10 months ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chris Brame marked this as fixed in 1.2.2 with commit 87e231 10 months ago
Chris Brame has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation