CVE-2021-45785
Description
TruDesk Help Desk/Ticketing Solution v1.1.11 is vulnerable to a Cross-Site Request Forgery (CSRF) attack which would allow an attacker to restart the server, causing a DoS attack. The attacker must craft a webpage that would perform a GET request to the /api/v1/admin/restart endpoint, then the victim (who has sufficient privileges), would visit the page and the server restart would begin. The attacker must know the full URL that TruDesk is on in order to craft the webpage.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TruDesk v1.1.11 is vulnerable to CSRF allowing an attacker to restart the server (DoS) by tricking a privileged user into visiting a crafted page.
Vulnerability
TruDesk Help Desk/Ticketing Solution version 1.1.11 is vulnerable to Cross-Site Request Forgery (CSRF) because the /api/v1/admin/restart endpoint accepts GET requests without any anti-CSRF token or origin validation. Additionally, the /api/v1/users//removel2auth endpoint is also vulnerable to CSRF, allowing an attacker to disable a victim's two-factor authentication [1].
Exploitation
An attacker crafts a malicious webpage that automatically submits a GET request to the /api/v1/admin/restart endpoint (e.g., via an auto-submitting form). The victim, who must have administrative privileges and be authenticated to the TruDesk instance, visits the attacker's page. The attacker must know the full URL of the TruDesk server (e.g., https://docker.trudesk.io). The PoC demonstrates a simple HTML form that triggers the request upon page load [1]. The attack can be combined with an XSS vulnerability to automatically redirect victims to the malicious page, increasing the likelihood of success.
Impact
Successful exploitation causes the TruDesk server to restart, resulting in a denial of service (DoS) that disrupts all users. The attacker can repeatedly trigger the restart, causing prolonged downtime. Additionally, the CSRF on the 2FA removal endpoint allows an attacker to disable a victim's two-factor authentication, potentially enabling account takeover if combined with other attacks [1].
Mitigation
No official fix or patched version has been disclosed in the available references. Users should implement CSRF protection (e.g., anti-CSRF tokens, SameSite cookies, or origin/referer header validation) on all sensitive endpoints, especially /api/v1/admin/restart and /api/v1/users//removel2auth. Until a patch is released, consider restricting access to the admin API endpoints via network controls or requiring manual confirmation for restart actions [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- TruDesk/Help Desk/Ticketing Solutiondescription
- Range: =1.1.11
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `/api/v1/admin/restart` endpoint accepts GET requests without any CSRF protection (no anti-CSRF token, origin validation, or confirmation step)."
Attack vector
An attacker crafts a webpage containing a form that auto-submits a GET request to the `/api/v1/admin/restart` endpoint on the target TruDesk instance [ref_id=1]. The attacker must know the full URL of the TruDesk server. When a victim who has administrative privileges visits the attacker's page, the browser sends the request including the victim's session cookies, causing the server to restart without the victim's consent [ref_id=1]. This results in a denial-of-service (DoS) condition. The attack can be chained with an XSS payload to automatically redirect victims to the CSRF page, amplifying the impact [ref_id=1].
Affected code
The vulnerable endpoint is `/api/v1/admin/restart`, which accepts GET requests without any CSRF token or origin validation [ref_id=1]. A secondary CSRF vector exists at `/api/v1/users/<user ID>/removel2auth` for disabling a victim's two-factor authentication [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory does not specify a fix, but the remediation for CSRF vulnerabilities typically involves implementing anti-CSRF tokens, requiring a confirmation step for sensitive actions like server restarts, and/or validating the `Origin` or `Referer` header on the server side. The endpoint should also be changed from GET to a non-idempotent method such as POST, which would not be trivially triggerable via a simple `
Preconditions
- authThe victim must be logged into TruDesk with administrative privileges (sufficient to restart the server).
- inputThe attacker must know the full base URL of the target TruDesk instance.
- networkThe victim must visit the attacker's crafted webpage while authenticated to TruDesk.
Reproduction
Create an HTML file (e.g., `serverReset.html`) with the following content, replacing the action URL with the target TruDesk instance's base URL [ref_id=1]:
```html <html> <form action="https://docker.trudesk.io/api/v1/admin/restart" method="GET"/> <script> document.forms[0].submit(); </script> </html> ```
Host this page on an attacker-controlled server. When a logged-in administrator visits the page, the form auto-submits and the TruDesk server restarts [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.