Allowing long password leads to denial of service in polonel/trudesk in polonel/trudesk


Reported on

May 15th 2022

Description The trudesk application allows to sending a very long password (10000000 characters) it's possible to cause a denial of service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually, this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing process will result in CPU and memory exhaustion.

Proof of Concept

1.Go to paste the payload in Password parameter

2.Copy the payload from this link:- and paste on Password parameter

3.You will see that the application allows long password this can leads to Dos and can exploit as DDos

Video POC :-


This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.

We are processing your report and will contact the polonel/trudesk team within 24 hours. a year ago
Chris validated this vulnerability a year ago
Vishal Vishwakarma has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chris marked this as fixed in 1.2.2 with commit e836d0 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
a year ago


@admin can you please assigned this as cve

Jamie Slome
a year ago


Sorted 👍

to join this conversation