Register users in spite of Allow User Registration disabled in polonel/trudesk


Reported on

May 12th 2022


Attacker can register a user in spite of the Allow User Registration is disable by default.

Proof of Concept

  1. Go to /captcha, get the captcha value and cookie. alt text
  2. Send POST request to (/api/v1/public/account/create) with the value of captcha and cookie in step 1.
    //POST HOST/api/v1/public/account/create
    "user": {
        "fullname": "uname",
        "email": "",
        "password": "passwd"
    "captcha": "captcha"

alt text

  1. Register successfuly.


Same POC with endpoint Create New Ticket(/api/v1/public/tickets/create)

{"user":{"fullname":"tpa tpa2","email":""},"ticket":{"subject":"123","issue":"123"},"captcha":"Dazr"}


Attacker can register a user and get inside the dashboard.

We are processing your report and will contact the polonel/trudesk team within 24 hours. a year ago
tienpa99 modified the report
a year ago
tienpa99 modified the report
a year ago
tienpa99 modified the report
a year ago
We have contacted a member of the polonel/trudesk team and are waiting to hear back a year ago
a year ago


Can you try the same request once you log out of the app as yourself? It's using your permissions since you're logged in.

a year ago


Actually, I see the issue. I will publish a fix soon.

Chris validated this vulnerability a year ago
tienpa99 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. a year ago
Chris marked this as fixed in 1.2.2 with commit 49befa a year ago
Chris has been awarded the fix bounty
This vulnerability will not receive a CVE
a year ago


Confirm the bug has been fixed.

to join this conversation