Sensitive Data Exposure Due To Insecure Storage Of Profile Image in polonel/trudesk
Mar 19th 2022
When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of trudesk users like their Geolocation, their Device information like Device Name, Version, Software & Software version used, etc.
Proof of Concept
1.Browse this link:- https://github.com/ianare/exif-samples/blob/master/jpg/gps/DSCN0012.jpg
2.Download the image Upload the picture on your profile and click on save.
3.Now see the path of the uploaded image ( Either by right click on image then copy image address OR right-click, inspect the image, the URL will come in the inspect, edit it as HTML )
4.Then open:- http://exif.regex.info/exif.cgi
5.Then select the image and click on "View Image Data" now you can see the EXIF data.
This vulnerability impacts all users on trudesk. This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads their profile picture on trudesk.
"This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads their profile picture on microweber."
Although the bounty is valid; This project is not microweber.
@maintainer sorry by mistake I have put the microweber name because previously I have reported the same vulnerability to microweber and I use that template to report here forgot to change the name @admin can you edit the name from microweber to trudesk from the description.
@admin Can you register a CVE for this?
Removed microweber references from the report 👍
We can assign a CVE, we just require the GO AHEAD from the maintainer.
@Chris, are you happy for us to assign and publish a CVE for this report?
@Chris @polonel @maintainer can you please reply
Yes, you can assign and publish a CVE for this report.
@admin Maintainer is agree so can you please register a CVE for this report?
CVE assigned! 👍
Once you have confirmed the fix @maintainer, we will be able to go ahead and publish the CVE.
@admin Any update on deploying a fix for this report?
@admin maintainer has confirmed the fix for this report so can you please update the CVE-ID on NVD/mitre
It should be available in the next couple of hours :)