Allocation of Resources Without Limits in in polonel/trudesk

Valid

Reported on

May 20th 2022


Steps to reproduce:

  1. As an admin, start a new conversation with any member(normal user)
  2. If the member(normal user) reply with a text of huge characters, (more than crores, etc)the admin may not able to access the dash board and its get started lagging, because the server get DOS

POC Screenshot:

[IMAGE ALT TEXT HERE

POC Video:

https://www.mediafire.com/file/tzfqws14imvdfxr/trudesk_dos.mov/file

Patch recommendation:

  1. Limit the characters to max (5000 or 10000)

Impact

  1. Denial of service
We are processing your report and will contact the polonel/trudesk team within 24 hours. a month ago
We have contacted a member of the polonel/trudesk team and are waiting to hear back a month ago
We have sent a follow up to the polonel/trudesk team. We will try again in 7 days. a month ago
polonel/trudesk maintainer has acknowledged this report a month ago
Chris Brame
a month ago

Maintainer


This has been fixed and will release with version 1.2.3 I will update this report once released.

Chris Brame assigned a CVE to this report a month ago
Chris Brame validated this vulnerability a month ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chris Brame confirmed that a fix has been merged on b7c151 a month ago
Chris Brame has been awarded the fix bounty
to join this conversation