| عنوان | devaslanphp project-management < 2.0.0-beta1 Improper Authorization |
|---|
| الوصف | A systemic authorization vulnerability affecting multiple components was found in devaslanphp/project-management (up to version 2.0.0-beta1). Rated as critical, this issue encompasses 12 distinct authorization flaws across the application. Key impacts include:
Cross-project ticket status manipulation via the Livewire listener KanbanScrumHelper::recordUpdated() due to missing ownership checks.
Arbitrary ticket, project, and sprint deletion because delete methods in their respective policies (e.g., TicketPolicy) fail to verify resource ownership.
Arbitrary comment modification and deletion in ViewTicket.php.
Unrestricted access to all users' timesheets due to the complete absence of a TicketHourPolicy for the TimesheetResource.
UI-only authorization patterns where administrative pages and dashboard widgets hide navigation links but do not prevent direct URL access or data scoping.
These vulnerabilities allow authenticated attackers to manipulate, delete, or view sensitive cross-project data. The issues were remediated in commit 30a6a76 by implementing comprehensive server-side access controls, policy ownership checks, and proper data scoping.
Issue Link: https://github.com/devaslanphp/project-management/issues/141
Fix Commit: https://github.com/devaslanphp/project-management/commit/30a6a76 |
|---|
| المصدر | ⚠️ https://github.com/devaslanphp/project-management/issues/141 |
|---|
| المستخدم | Mitchell_45 (UID 98150) |
|---|
| ارسال | 11/05/2026 12:36 PM (24 أيام منذ) |
|---|
| الاعتدال | 31/05/2026 06:30 PM (20 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 367578 [DevaslanPHP project-management حتى 2.0.0-beta1 Ticket KanbanScrumHelper.php recordUpdated تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|