| शीर्षक | devaslanphp project-management < 2.0.0-beta1 Improper Authorization |
|---|
| विवरण | A systemic authorization vulnerability affecting multiple components was found in devaslanphp/project-management (up to version 2.0.0-beta1). Rated as critical, this issue encompasses 12 distinct authorization flaws across the application. Key impacts include:
Cross-project ticket status manipulation via the Livewire listener KanbanScrumHelper::recordUpdated() due to missing ownership checks.
Arbitrary ticket, project, and sprint deletion because delete methods in their respective policies (e.g., TicketPolicy) fail to verify resource ownership.
Arbitrary comment modification and deletion in ViewTicket.php.
Unrestricted access to all users' timesheets due to the complete absence of a TicketHourPolicy for the TimesheetResource.
UI-only authorization patterns where administrative pages and dashboard widgets hide navigation links but do not prevent direct URL access or data scoping.
These vulnerabilities allow authenticated attackers to manipulate, delete, or view sensitive cross-project data. The issues were remediated in commit 30a6a76 by implementing comprehensive server-side access controls, policy ownership checks, and proper data scoping.
Issue Link: https://github.com/devaslanphp/project-management/issues/141
Fix Commit: https://github.com/devaslanphp/project-management/commit/30a6a76 |
|---|
| स्रोत | ⚠️ https://github.com/devaslanphp/project-management/issues/141 |
|---|
| उपयोगकर्ता | Mitchell_45 (UID 98150) |
|---|
| सबमिशन | 11/05/2026 12:36 PM (24 दिन पहले) |
|---|
| संयम | 31/05/2026 06:30 PM (20 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 367578 [DevaslanPHP project-management तक 2.0.0-beta1 Ticket KanbanScrumHelper.php recordUpdated अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|