| Título | devaslanphp project-management < 2.0.0-beta1 Improper Authorization |
|---|
| Descrição | Multiple improper authorization and Insecure Direct Object Reference (IDOR) vulnerabilities were found in devaslanphp/project-management (up to version 2.0.0-beta1). It has been rated as high severity. The vulnerabilities stem from the lack of server-side authorization validation in several Livewire component methods and Laravel policies. Specifically:
KanbanScrumHelper::recordUpdated() allows any authenticated user to modify the status and order of any ticket across all projects.
ViewTicket::doDeleteComment() and editComment() allow arbitrary deletion/modification of comments by bypassing UI-only checks.
Deletion methods in TicketPolicy, ProjectPolicy, and SprintPolicy lack ownership verification.
TimesheetResource lacks scoping, exposing all users' timesheet entries.
These flaws allow authenticated attackers to manipulate or delete resources belonging to other users.
Issue: https://github.com/devaslanphp/project-management/issues/140
Fix Commit: https://github.com/devaslanphp/project-management/commit/30a6a76 |
|---|
| Fonte | ⚠️ https://github.com/devaslanphp/project-management/issues/140 |
|---|
| Utilizador | Mitchell45 (UID 98149) |
|---|
| Submissão | 11/05/2026 12h34 (há 24 dias) |
|---|
| Moderação | 31/05/2026 18h30 (20 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 367577 [DevaslanPHP project-management até 2.0.0-beta1 Livewire ViewTicket.php editComment/doDeleteComment Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|