| Título | devaslanphp project-management < 2.0.0-beta1 Improper Authorization |
|---|
| Descrição | A systemic authorization vulnerability affecting multiple components was found in devaslanphp/project-management (up to version 2.0.0-beta1). Rated as critical, this issue encompasses 12 distinct authorization flaws across the application. Key impacts include:
Cross-project ticket status manipulation via the Livewire listener KanbanScrumHelper::recordUpdated() due to missing ownership checks.
Arbitrary ticket, project, and sprint deletion because delete methods in their respective policies (e.g., TicketPolicy) fail to verify resource ownership.
Arbitrary comment modification and deletion in ViewTicket.php.
Unrestricted access to all users' timesheets due to the complete absence of a TicketHourPolicy for the TimesheetResource.
UI-only authorization patterns where administrative pages and dashboard widgets hide navigation links but do not prevent direct URL access or data scoping.
These vulnerabilities allow authenticated attackers to manipulate, delete, or view sensitive cross-project data. The issues were remediated in commit 30a6a76 by implementing comprehensive server-side access controls, policy ownership checks, and proper data scoping.
Issue Link: https://github.com/devaslanphp/project-management/issues/141
Fix Commit: https://github.com/devaslanphp/project-management/commit/30a6a76 |
|---|
| Fonte | ⚠️ https://github.com/devaslanphp/project-management/issues/141 |
|---|
| Utilizador | Mitchell_45 (UID 98150) |
|---|
| Submissão | 11/05/2026 12h36 (há 24 dias) |
|---|
| Moderação | 31/05/2026 18h30 (20 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 367578 [DevaslanPHP project-management até 2.0.0-beta1 Ticket KanbanScrumHelper.php recordUpdated Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|