MidnightBSD

Advisories for trudesk_project

CVE-2021-45785

TruDesk Help Desk/Ticketing Solution v1.1.11 is vulnerable to a Cross-Site Request Forgery (CSRF) attack which would allow an attacker to restart the server, causing a DoS attack. The attacker must craft a webpage that would perform a GET request to the /api/v1/admin/restart endpoint, then the victim (who has sufficient privileges), would visit the page and the server restart would begin. The attacker must know the full URL that TruDesk is on in order to craft the webpage.

Products Affected

Vendor Product Version
trudesk_project trudesk 1.1.11
CVE-2022-1044 MEDIUM

Sensitive Data Exposure Due To Insecure Storage Of Profile Image in GitHub repository polonel/trudesk prior to v1.2.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-922,CWE-922,

Products Affected

Vendor Product Version
trudesk_project trudesk *
CVE-2022-1045 LOW

Stored XSS viva .svg file upload in GitHub repository polonel/trudesk prior to v1.2.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-434,

Products Affected

Vendor Product Version
trudesk_project trudesk *
CVE-2022-1290 LOW

Stored XSS in "Name", "Group Name" & "Title" in GitHub repository polonel/trudesk prior to v1.2.0. This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
trudesk_project trudesk *
CVE-2022-1718

The trudesk application allows large characters to insert in the input field "Full Name" on the signup field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in GitHub repository polonel/trudesk prior to 1.2.2. This can lead to Denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
trudesk_project trudesk *
CVE-2022-1719

Reflected XSS on ticket filter function in GitHub repository polonel/trudesk prior to 1.2.2. This vulnerability is capable of executing a malicious javascript code in web page

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
trudesk_project trudesk *
CVE-2022-1728 MEDIUM

Allowing long password leads to denial of service in polonel/trudesk in GitHub repository polonel/trudesk prior to 1.2.2. This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
trudesk_project trudesk *
CVE-2022-1752 MEDIUM

Unrestricted Upload of File with Dangerous Type in GitHub repository polonel/trudesk prior to 1.2.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.0 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 2.1 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,CWE-434,

Products Affected

Vendor Product Version
trudesk_project trudesk *
CVE-2022-1754 MEDIUM

Integer Overflow or Wraparound in GitHub repository polonel/trudesk prior to 1.2.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
trudesk_project trudesk *
CVE-2022-1770 MEDIUM

Improper Privilege Management in GitHub repository polonel/trudesk prior to 1.2.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,CWE-269,

Products Affected

Vendor Product Version
trudesk_project trudesk *
CVE-2022-1775 HIGH

Weak Password Requirements in GitHub repository polonel/trudesk prior to 1.2.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-521,CWE-521,

Products Affected

Vendor Product Version
trudesk_project trudesk *
CVE-2022-1803 MEDIUM

Improper Restriction of Rendered UI Layers or Frames in GitHub repository polonel/trudesk prior to 1.2.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:H 1.7 4.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-1021,CWE-1021,

Products Affected

Vendor Product Version
trudesk_project trudesk *
CVE-2022-1808 MEDIUM

Execution with Unnecessary Privileges in GitHub repository polonel/trudesk prior to 1.2.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-250,NVD-CWE-Other,

Products Affected

Vendor Product Version
trudesk_project trudesk *
CVE-2022-1893 MEDIUM

Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository polonel/trudesk prior to 1.2.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-212,CWE-212,

Products Affected

Vendor Product Version
trudesk_project trudesk *
CVE-2022-1926 MEDIUM

Integer Overflow or Wraparound in GitHub repository polonel/trudesk prior to 1.2.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
trudesk_project trudesk *
CVE-2022-1931 MEDIUM

Incorrect Synchronization in GitHub repository polonel/trudesk prior to 1.2.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-821,CWE-662,

Products Affected

Vendor Product Version
trudesk_project trudesk *
CVE-2022-1947 MEDIUM

Use of Incorrect Operator in GitHub repository polonel/trudesk prior to 1.2.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-480,NVD-CWE-Other,

Products Affected

Vendor Product Version
trudesk_project trudesk *
CVE-2022-2023 HIGH

Incorrect Use of Privileged APIs in GitHub repository polonel/trudesk prior to 1.2.4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-648,CWE-269,

Products Affected

Vendor Product Version
trudesk_project trudesk *
CVE-2022-2128 HIGH

Unrestricted Upload of File with Dangerous Type in GitHub repository polonel/trudesk prior to 1.2.4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
trudesk_project trudesk *
CVE-2023-26982

Trudesk v1.2.6 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Add Tags parameter under the Create Ticket function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
trudesk_project trudesk 1.2.6