The trudesk application allows large characters to insert in the input field "Name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in polonel / trudesk in polonel/trudesk

Valid

Reported on

May 16th 2022

Proof of Concept

1 - Go to Profile or https://docker.trudesk.io/profile

2 - and fill name input field with huge characters

Payload :- https://drive.google.com/file/d/17-SH8ZaTqBTQGugpbh2SQtTKnJOL9NIK/view?usp=sharing

Video POC :- https://drive.google.com/file/d/1LYSRwVl6hAS_1Q1cYJNYkBgH8YNEBk_Y/view?usp=sharing

Screenshot of POC -: https://drive.google.com/file/d/1jKOLbBVq2SOD20bCvvXirOf-5mtsvaEC/view?usp=sharing

Impact

It can leads to denial of service attack

We are processing your report and will contact the polonel/trudesk team within 24 hours. 2 years ago
polonel/trudesk maintainer has acknowledged this report 2 years ago
Chris validated this vulnerability 2 years ago
Vishal Vishwakarma has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chris
2 years ago

Maintainer

This has been fixed in v1.2.2. I will update this report once it has been released.

Vishal
2 years ago

Researcher

@admin can you please assigned as cve

Jamie Slome
2 years ago

Admin

Sorted 👍

We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. 2 years ago
Chris marked this as fixed in 1.2.2 with commit e836d0 2 years ago
Chris has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation