Send messenger to another user with any sender account in polonel/trudesk

Valid

Reported on

May 24th 2022


Description

Send messenger to another user with any sender account

Proof of Concept

1. Login with account A.
2. When click to the message box of the user Victim X we have the id of this message page (in URL), such as https://docker.trudesk.io/messages/628ceabe32b93e62146a7d75 is the URL of message A to victim X. Copy this URL
3. Login with account B. Paste the copied URL and access, send a message, such as "this message is from B"
4. In the page message of A, we receive a message from victim X with content "this message is from B"
(X do not send the message, B send the message but A receive the message from X)

Impact

  • Break the message page of another user
  • Fake information in message page of another user
We are processing your report and will contact the polonel/trudesk team within 24 hours. a year ago
Lê Ngọc Hoa modified the report
a year ago
Lê Ngọc Hoa modified the report
a year ago
Chris
a year ago

Maintainer


Need to know what version you tested on?

Lê Ngọc Hoa
a year ago

Researcher


I tested on the demo version

We have contacted a member of the polonel/trudesk team and are waiting to hear back a year ago
Chris
a year ago

Maintainer


Please test on version 1.2.2 as the demo version is being decommissioned at the end of the month.

Lê Ngọc Hoa
a year ago

Researcher


I tested on version 1.2.2 and it still got this vulnerability! This is my new POC video:

https://drive.google.com/file/d/1oZwpLdd9sd5OaZsd8qVPJh_lz5g9XsmW/view?usp=sharing

Thank you !!!

Lê Ngọc Hoa modified the report
a year ago
We have sent a follow up to the polonel/trudesk team. We will try again in 7 days. a year ago
Chris assigned a CVE to this report a year ago
Chris validated this vulnerability a year ago
Lê Ngọc Hoa has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chris
a year ago

Maintainer


This has been fixed and will release with version 1.2.3 I will update this report once released.

Chris marked this as fixed in 1.2.3 with commit 314540 a year ago
Chris has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation