Unrestricted File Upload and Path Traversal in upload image in polonel/trudesk


Reported on

May 12th 2022


The uploadImage function in accountsController take file path and extension from users . An attacker can change the path and extension to upload dangerous file to anywhere in server.

Proof of Concept

1. Login 
2. Upload profile image
3. Capture request, modify `username` and `filename`
POST /accounts/uploadImage HTTP/1.1
Content-Length: 452
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQXoDBooqQ26crHR0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: connect.sid=s%3A01nLIvLiz-oEhbSpekE9nwUSl9R_PQF1.GeCCIcToZnO%2BDlTis77aXBlVGyVOaQDURoUrIcrXQ%2BM; $trudesk%3Atimezone=America/New_York
Connection: close

Content-Disposition: form-data; name="username"

Content-Disposition: form-data; name="_id"

Content-Disposition: form-data; name="image"; filename="filename.anything"
Content-Type: image/jpeg

<image content>

alt text alt text


Authenticated user can upload dangerous file to anywhere in server (example: upload a file with .html extension lead to stored xss)


This function take object.username into join.path() lead to path traversal, take path.extname(filename) lead to upload file with dangerous type

We are processing your report and will contact the polonel/trudesk team within 24 hours. 2 months ago
tienpa99 modified the report
2 months ago
tienpa99 modified the report
2 months ago
We have contacted a member of the polonel/trudesk team and are waiting to hear back 2 months ago
polonel/trudesk maintainer has acknowledged this report 2 months ago
a month ago


Hi, I see you have read the report. Is it hard to understand or the poc doesn't working?

Chris Brame assigned a CVE to this report a month ago
Chris Brame validated this vulnerability a month ago
tienpa99 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chris Brame
a month ago


This has been fixed in v1.2.2. I will update this report once it has been released.

a month ago


Sure. Just update here, I will recheck this issue.

We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. a month ago
Chris Brame confirmed that a fix has been merged on d107f1 a month ago
Chris Brame has been awarded the fix bounty
accounts.js#L485-L505 has been validated
to join this conversation