Send messenger to another user with any sender account in polonel/trudesk
Valid
Reported on
May 24th 2022
Description
Send messenger to another user with any sender account
Proof of Concept
1. Login with account A.
2. When click to the message box of the user Victim X we have the id of this message page (in URL), such as https://docker.trudesk.io/messages/628ceabe32b93e62146a7d75 is the URL of message A to victim X. Copy this URL
3. Login with account B. Paste the copied URL and access, send a message, such as "this message is from B"
4. In the page message of A, we receive a message from victim X with content "this message is from B"
(X do not send the message, B send the message but A receive the message from X)
Impact
- Break the message page of another user
- Fake information in message page of another user
References
We are processing your report and will contact the
polonel/trudesk
team within 24 hours.
a month ago
Lê Ngọc Hoa modified the report
a month ago
Lê Ngọc Hoa modified the report
a month ago
We have contacted a member of the
polonel/trudesk
team and are waiting to hear back
a month ago
Please test on version 1.2.2 as the demo version is being decommissioned at the end of the month.
I tested on version 1.2.2 and it still got this vulnerability! This is my new POC video:
https://drive.google.com/file/d/1oZwpLdd9sd5OaZsd8qVPJh_lz5g9XsmW/view?usp=sharing
Thank you !!!
Lê Ngọc Hoa modified the report
a month ago
We have sent a
follow up to the
polonel/trudesk
team.
We will try again in 7 days.
a month ago
The researcher's credibility has increased: +7
This has been fixed and will release with version 1.2.3 I will update this report once released.
Chris Brame
has been awarded the fix bounty
to join this conversation