| 제목 | devaslanphp project-management < 2.0.0-beta1 Improper Authorization |
|---|
| 설명 | A systemic authorization vulnerability affecting multiple components was found in devaslanphp/project-management (up to version 2.0.0-beta1). Rated as critical, this issue encompasses 12 distinct authorization flaws across the application. Key impacts include:
Cross-project ticket status manipulation via the Livewire listener KanbanScrumHelper::recordUpdated() due to missing ownership checks.
Arbitrary ticket, project, and sprint deletion because delete methods in their respective policies (e.g., TicketPolicy) fail to verify resource ownership.
Arbitrary comment modification and deletion in ViewTicket.php.
Unrestricted access to all users' timesheets due to the complete absence of a TicketHourPolicy for the TimesheetResource.
UI-only authorization patterns where administrative pages and dashboard widgets hide navigation links but do not prevent direct URL access or data scoping.
These vulnerabilities allow authenticated attackers to manipulate, delete, or view sensitive cross-project data. The issues were remediated in commit 30a6a76 by implementing comprehensive server-side access controls, policy ownership checks, and proper data scoping.
Issue Link: https://github.com/devaslanphp/project-management/issues/141
Fix Commit: https://github.com/devaslanphp/project-management/commit/30a6a76 |
|---|
| 원천 | ⚠️ https://github.com/devaslanphp/project-management/issues/141 |
|---|
| 사용자 | Mitchell_45 (UID 98150) |
|---|
| 제출 | 2026. 05. 11. PM 12:36 (26 날 ago) |
|---|
| 모더레이션 | 2026. 05. 31. PM 06:30 (20 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 367578 [DevaslanPHP project-management 까지 2.0.0-beta1 Ticket KanbanScrumHelper.php recordUpdated 권한 상승] |
|---|
| 포인트들 | 20 |
|---|