The trudesk application allows large characters to insert in the input field "Name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in polonel / trudesk in polonel/trudesk

Valid

Reported on

May 16th 2022


Proof of Concept

1 - Go to Profile or https://docker.trudesk.io/profile

2 - and fill name input field with huge characters

Payload :- https://drive.google.com/file/d/17-SH8ZaTqBTQGugpbh2SQtTKnJOL9NIK/view?usp=sharing

Video POC :- https://drive.google.com/file/d/1LYSRwVl6hAS_1Q1cYJNYkBgH8YNEBk_Y/view?usp=sharing

Screenshot of POC -: https://drive.google.com/file/d/1jKOLbBVq2SOD20bCvvXirOf-5mtsvaEC/view?usp=sharing

Impact

It can leads to denial of service attack

We are processing your report and will contact the polonel/trudesk team within 24 hours. a month ago
polonel/trudesk maintainer has acknowledged this report a month ago
Chris Brame validated this vulnerability a month ago
Vishal Vishwakarma has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chris Brame
a month ago

Maintainer


This has been fixed in v1.2.2. I will update this report once it has been released.

Vishal
a month ago

Researcher


@admin can you please assigned as cve

Jamie Slome
a month ago

Admin


Sorted 👍

We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. a month ago
Chris Brame confirmed that a fix has been merged on e836d0 a month ago
Chris Brame has been awarded the fix bounty
to join this conversation