Allocation of Resources Without Limits in in polonel/trudesk

Valid

Reported on

May 20th 2022

Steps to reproduce:

  1. As an admin, start a new conversation with any member(normal user)
  2. If the member(normal user) reply with a text of huge characters, (more than crores, etc)the admin may not able to access the dash board and its get started lagging, because the server get DOS

POC Screenshot:

[IMAGE ALT TEXT HERE

POC Video:

https://www.mediafire.com/file/tzfqws14imvdfxr/trudesk_dos.mov/file

Patch recommendation:

  1. Limit the characters to max (5000 or 10000)

Impact

  1. Denial of service
We are processing your report and will contact the polonel/trudesk team within 24 hours. a year ago
We have contacted a member of the polonel/trudesk team and are waiting to hear back a year ago
We have sent a follow up to the polonel/trudesk team. We will try again in 7 days. a year ago
polonel/trudesk maintainer has acknowledged this report a year ago
Chris
a year ago

Maintainer

This has been fixed and will release with version 1.2.3 I will update this report once released.

Chris assigned a CVE to this report a year ago
Chris validated this vulnerability a year ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chris marked this as fixed in 1.2.3 with commit b7c151 a year ago
Chris has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation