| Título | devaslanphp project-management < 2.0.0-beta1 Improper Authorization |
|---|
| Descripción | Multiple improper authorization and Insecure Direct Object Reference (IDOR) vulnerabilities were found in devaslanphp/project-management (up to version 2.0.0-beta1). It has been rated as high severity. The vulnerabilities stem from the lack of server-side authorization validation in several Livewire component methods and Laravel policies. Specifically:
KanbanScrumHelper::recordUpdated() allows any authenticated user to modify the status and order of any ticket across all projects.
ViewTicket::doDeleteComment() and editComment() allow arbitrary deletion/modification of comments by bypassing UI-only checks.
Deletion methods in TicketPolicy, ProjectPolicy, and SprintPolicy lack ownership verification.
TimesheetResource lacks scoping, exposing all users' timesheet entries.
These flaws allow authenticated attackers to manipulate or delete resources belonging to other users.
Issue: https://github.com/devaslanphp/project-management/issues/140
Fix Commit: https://github.com/devaslanphp/project-management/commit/30a6a76 |
|---|
| Fuente | ⚠️ https://github.com/devaslanphp/project-management/issues/140 |
|---|
| Usuario | Mitchell45 (UID 98149) |
|---|
| Sumisión | 2026-05-11 12:34 (hace 24 días) |
|---|
| Moderación | 2026-05-31 18:30 (20 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 367577 [DevaslanPHP project-management hasta 2.0.0-beta1 Livewire ViewTicket.php editComment/doDeleteComment escalada de privilegios] |
|---|
| Puntos | 20 |
|---|