जमा करें #822924: Mettle sendportal v3.0.1 Improper Access Controlsजानकारी

शीर्षक	Mettle sendportal v3.0.1 Improper Access Controls
विवरण	The destroy() method in WorkspaceInvitationsController allows any workspace owner to delete invitations belonging to any other workspace (IDOR - CWE-639). Vulnerability Details File: app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php, lines 42-47 public function destroy(Invitation $invitation): RedirectResponse { $invitation->delete(); // No workspace ownership check return redirect()->route('users.index'); } The route group at routes/web.php line 59 applies OwnsCurrentWorkspace::class middleware, which verifies the user owns their current workspace — but does NOT verify the {invitation} parameter belongs to that workspace. Laravel route model binding resolves ANY invitation by ID.
स्रोत	⚠️ https://github.com/mettle/sendportal/issues/337
उपयोगकर्ता	B1scuit (UID 97177)
सबमिशन	08/05/2026 07:52 AM (28 दिन पहले)
संयम	31/05/2026 10:14 AM (23 days later)
स्थिति	प्रतिलिपि
VulDB प्रविष्टि	359744 [mettle sendportal तक 3.0.1 Invitation WorkspaceInvitationsController.php destroy invitation अधिकार वृद्धि]
अंक	0

Might our Artificial Intelligence support you?

Check our Alexa App!