When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of trudesk users like their Geolocation, their Device information like Device Name, Version, Software & Software version used, etc.
1.Browse this link:- https://github.com/ianare/exif-samples/blob/master/jpg/gps/DSCN0012.jpg
2.Download the image Upload the picture on your profile and click on save.
3.Now see the path of the uploaded image ( Either by right click on image then copy image address OR right-click, inspect the image, the URL will come in the inspect, edit it as HTML )
4.Then open:- http://exif.regex.info/exif.cgi
5.Then select the image and click on “View Image Data” now you can see the EXIF data.
https://drive.google.com/file/d/1_-lUIFVpC0BrxrviLgO-Kythb-qaBt8a/view?usp=sharing
This vulnerability impacts all users on trudesk. This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads their profile picture on trudesk.
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10109
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26220
hackerone.com/reports/446238
hackerone.com/reports/906907
medium.com/@souravnewatia/exif-geolocation-data-not-stripped-from-uploaded-images-794d20d2fa7d
www.consumerreports.org/privacy/what-can-you-tell-from-photo-exif-data-a2386546443/