| शीर्षक | mettle sendportal v3.0.1 Insecure direct object reference |
|---|
| विवरण | Summary
The destroy() method in WorkspaceInvitationsController allows any workspace owner to delete invitations belonging to any other workspace (IDOR - CWE-639).
Vulnerability Details
File: app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php, lines 42-47
public function destroy(Invitation $invitation): RedirectResponse
{
$invitation->delete(); // No workspace ownership check
return redirect()->route('users.index');
}
The route group at routes/web.php line 59 applies OwnsCurrentWorkspace::class middleware, which verifies the user owns their current workspace — but does NOT verify the {invitation} parameter belongs to that workspace. Laravel route model binding resolves ANY invitation by ID.
Secure pattern comparison:
The store() method in the same controller correctly scopes to the current workspace via $request->user()->currentWorkspace(). The invitations table has a workspace_id foreign key but it is never validated in destroy().
Recommended Fix
public function destroy(Invitation $invitation): RedirectResponse
{
abort_unless(
$invitation->workspace_id === auth()->user()->currentWorkspace()->id,
404
);
$invitation->delete();
return redirect()->route('users.index');
}
Disclosure
Found during security research. Happy to provide additional details. |
|---|
| स्रोत | ⚠️ https://github.com/mettle/sendportal/issues/337 |
|---|
| उपयोगकर्ता | B1scuit (UID 97177) |
|---|
| सबमिशन | 10/04/2026 06:51 AM (2 महीनों पहले) |
|---|
| संयम | 26/04/2026 09:53 PM (17 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 359744 [mettle sendportal तक 3.0.1 Invitation WorkspaceInvitationsController.php destroy invitation अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|