Closed ranjit-git closed 3 years ago
Thank you for report this, I really hope the UVdesk team can fix asap with emergency priority and give immediately instruction to fix and update UVdesk.
Is nice to see someone care about security of the product, thanks again!
@PeopleInside
The issue reported here is not open and asking for our account access if we are checking it, which is not acceptable for us to provide account access to them.
@ranjit-git can report all issue @ support@uvdesk.com if do not want to public security issues here.
@papnoisanjeev
Report details can be seen by only repo-maintainer for security reason . If you are the maintainer then login to huntr with your GitHub account and you can see details and validate them.
Other user cant see report details if he is not a repo-maintainer
If you are not interested to signup there then I can send you all report over above security mail. Pls let me know what you prefer
@ranjit-git
Report details can be seen by only repo-maintainer for security reason.
Yes, I do have maintainer access for the project but can't provide account access.
Please send security mail on support@uvdesk.com we will check.
@papnoisanjeev i just sent all report to support@uvdesk.com .
Thank you @ranjit-git @papnoisanjeev I will monitor the progression of the fix in this week, I hope to be able to fix security issues asap 😉
Hi @PeopleInside @papnoisanjeev , there are still 3 bug need to fix
@ranjit-git I know and I wrote to the UVdesk team in private some days or week ago.
Seems they are busy with some other work and I try to explain that a security vulnerability should be at the first position of the priority because this mean every self-hosted server install can be vulnerable and make server vulnerable.
I really hope this security issue will never stay opened for months. 21 days of strong security issue right now.
@papnoisanjeev please fix this issue as soon as possible.
@PeopleInside @ranjit-git
We have fixed 3 issues out of 6 here and working on other. @Sanjaybhattwebkul working on security issues and will update once done.
https://huntr.dev/bounties/3-uvdesk/community-skeleton/
Fixed here.
2 . Bug : unprivileged user can see all ticket details
Already fixed
3 . Bug : Stored xss https://huntr.dev/bounties/6-uvdesk/community-skeleton/
Fixed here.
4. Bug : Store xss
Already fixed
5. Bug: Agent can make xss attack against admin https://huntr.dev/bounties/1-uvdesk/community-skeleton/
1. Bug : privilege escalation bug to add collaborator to ticket Fixed here.
Hello, @Sanjaybhattwebkul
If you having problem to reproduce any bug then pls comment into the provided report-link and I will assist you
Thanks
Hello , @ranjit-git
I marked all 8 report valid by corresponding report url (magick link received in mail)
@Sanjaybhattwebkul thanks But you mistakenly mark this report invalid https://huntr.dev/bounties/3e695d80-b710-47aa-a66a-5affeb56abef
@ranjit-git I will update it as valid soon
@ranjit-git i have mark this report as valid
@Sanjaybhattwebkul @papnoisanjeev Few other security vulnerability has been submitted to your other repo https://github.com/uvdesk/core-framework can you plz validate them?
@ranjit-git Can you please tell me, which security vulnerability you have been submitted in this repo
@Sanjaybhattwebkul https://huntr.dev/bounties/4bae2d4d-98ae-446d-aac8-44dcd3980b78/
@ranjit-git
please provide me the open link .
Email address where open link will be send?
sanjay.bhatt371@webkul.com
@ranjit-git We are closing this issue as all of the security issues mentioned here has been fixed. If can open a new issue if found some more issues.
Hi, @akshaywebkul @papnoisanjeev @piyushwebkul @shubhwebkul
Few security vulnerability has been submitted through huntr . Plz validate them https://huntr.dev/bounties/1-uvdesk/community-skeleton/ https://huntr.dev/bounties/2-uvdesk/community-skeleton/ https://huntr.dev/bounties/3-uvdesk/community-skeleton/ https://huntr.dev/bounties/4-uvdesk/community-skeleton/ https://huntr.dev/bounties/5-uvdesk/community-skeleton/ https://huntr.dev/bounties/6-uvdesk/community-skeleton/ Report is only visible to repo maintainer and reporter .