| タイトル | devaslanphp project-management < 2.0.0-beta1 Improper Authorization |
|---|
| 説明 | Multiple improper authorization and Insecure Direct Object Reference (IDOR) vulnerabilities were found in devaslanphp/project-management (up to version 2.0.0-beta1). It has been rated as high severity. The vulnerabilities stem from the lack of server-side authorization validation in several Livewire component methods and Laravel policies. Specifically:
KanbanScrumHelper::recordUpdated() allows any authenticated user to modify the status and order of any ticket across all projects.
ViewTicket::doDeleteComment() and editComment() allow arbitrary deletion/modification of comments by bypassing UI-only checks.
Deletion methods in TicketPolicy, ProjectPolicy, and SprintPolicy lack ownership verification.
TimesheetResource lacks scoping, exposing all users' timesheet entries.
These flaws allow authenticated attackers to manipulate or delete resources belonging to other users.
Issue: https://github.com/devaslanphp/project-management/issues/140
Fix Commit: https://github.com/devaslanphp/project-management/commit/30a6a76 |
|---|
| ソース | ⚠️ https://github.com/devaslanphp/project-management/issues/140 |
|---|
| ユーザー | Mitchell45 (UID 98149) |
|---|
| 送信 | 2026年05月11日 12:34 (24 日 ago) |
|---|
| モデレーション | 2026年05月31日 18:30 (20 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 367577 [DevaslanPHP project-management 迄 2.0.0-beta1 Livewire ViewTicket.php editComment/doDeleteComment 特権昇格] |
|---|
| ポイント | 20 |
|---|