Improper Privilege Management in uvdesk/core-framework


Reported on

Jul 19th 2021

✍️ BUG

privilege escalation bug to pin a threads

🕵️‍♂️ Proof of Concept

1. Frist from admin account goto http://localhost/uvdesk/public/en/member/agents and add new user called user B with Agent role .
Now gives user-B all tikceting permission like can update/add/edit/delete/lock/pin to a ticket etc .
Also gives bellow permission

Ticket View--->Individual Access

So, here user-B can access only ticket that is assigned to him .

2. Now admin create a new ticket and the ticketing url will be like http://localhost/uvdesk/public/en/member/ticket/view/1 .
Dont assign this ticket to user B .
So, user B should not seee this ticket.\

3. Now goto user B account and here user B cant see above ticket using url http://localhost/uvdesk/public/en/member/ticket/view/1 . user B get permission denied .
Finally user-B sent bellow request to pin a threads

PATCH /en/member/thread/action/6884640 HTTP/1.1
Cookie: cf_clearance=ef9a97e5ca3741a3a96a4c9831b71f8079ef6ac4-1626160435-0-250; UVSESSID=0000000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 72
Te: trailers
Connection: close


Here in this url change ticket-id and thread-id and forward the request and see threads is pinned by user-B who does not have permission .

💥 Impact

privilege escalation bug to pin threads .

We have contacted a member of the uvdesk/core-framework team and are waiting to hear back a year ago
uvdesk/core-framework maintainer has invalidated this vulnerability a year ago

we found this bug in Uvdesk open source and we fixed it here -:

The disclosure bounty has been dropped
The fix bounty has been dropped
Jamie Slome
a year ago


@uvdesk - should this be marked as invalid?

Just checking on behalf of @ranjit-git.

a year ago

I had marked it invalid by mistake. But it was a genuine issue. and we fixed it here.

Jamie Slome
a year ago


It looks like the issue is in a different repository, compared to the repository mentioned in this report?

a year ago

1 . find public function threadXHR . inside Core-framework-> Controller->Thread.php

2 . download and add code like this.

3 . here is the code

Jamie Slome
a year ago


@maintainer @ranjit-git - I have updated the report to point to the correct repository, and have reset the status of the report to pending.

Feel free to mark as valid and confirm the patch when you are ready.

uvdesk/core-framework maintainer validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
uvdesk/core-framework maintainer confirmed that a fix has been merged on 361b8c a year ago
The fix bounty has been dropped
to join this conversation