Improper Privilege Management API V2 in polonel/trudesk


Reported on

May 12th 2022


There are some api v2 doesn't check permission allow attackers to retrieve/edit information ticket,account,group,department,team,ElasticSearch

Proof of Concept

Get users list

1. Login.
2. Go to `/api/v2/accounts?type=all`.
3. Users list return.

alt text

Create user with admin role

1.  Get the admin role id in `/api/v2/accounts`.
2.  Send POST to `/api/v2/accounts`.
  1. Create successfully. alt text


Many api endpoint get vulnerable, i just show piece of attack vector that can happen.


The attacker takes full control of the website.


Routes without isAdmin are vulnerable

We are processing your report and will contact the polonel/trudesk team within 24 hours. a year ago
tienpa99 modified the report
a year ago
We have contacted a member of the polonel/trudesk team and are waiting to hear back a year ago
polonel/trudesk maintainer has acknowledged this report a year ago
a year ago


Hi, I see you have read the report. Is it hard to understand or the poc doesn't working?

a year ago


Can you confirm if this was performed with an admin logged in? As in you were logged in as an admin when you returned the user list and sent the post request.

I understand changing the role id of the post created an admin, but if you were logged in as an admin this is by design.

The token/apikey sent during the post was of which user/role?

a year ago


I apologize for the complicated description. Some APIV2 doesn't check permission allow. So an authenticated users can use it (with user role or just login permission).
Chain with my another report, Attacker can get inside dashboard and takes full control of the website

Video POC
Chris assigned a CVE to this report a year ago
Chris validated this vulnerability a year ago
tienpa99 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
a year ago


This is valid and I have identified the issue. Please allow me some time before a fix is finished, as I want to double-check nothing else breaks as I implement these changes.

Chris marked this as fixed in 1.2.2 with commit 889876 a year ago
Chris has been awarded the fix bounty
This vulnerability will not receive a CVE
routes.js#L15-L74 has been validated
a year ago


Confirm the bug has been fixed.

a year ago


Hi @admin, can you publish this cve?

Jamie Slome
a year ago


It will publish automatically 👍

to join this conversation