| Название | devaslanphp project-management < 2.0.0-beta1 Improper Authorization |
|---|
| Описание | Multiple improper authorization and Insecure Direct Object Reference (IDOR) vulnerabilities were found in devaslanphp/project-management (up to version 2.0.0-beta1). It has been rated as high severity. The vulnerabilities stem from the lack of server-side authorization validation in several Livewire component methods and Laravel policies. Specifically:
KanbanScrumHelper::recordUpdated() allows any authenticated user to modify the status and order of any ticket across all projects.
ViewTicket::doDeleteComment() and editComment() allow arbitrary deletion/modification of comments by bypassing UI-only checks.
Deletion methods in TicketPolicy, ProjectPolicy, and SprintPolicy lack ownership verification.
TimesheetResource lacks scoping, exposing all users' timesheet entries.
These flaws allow authenticated attackers to manipulate or delete resources belonging to other users.
Issue: https://github.com/devaslanphp/project-management/issues/140
Fix Commit: https://github.com/devaslanphp/project-management/commit/30a6a76 |
|---|
| Источник | ⚠️ https://github.com/devaslanphp/project-management/issues/140 |
|---|
| Пользователь | Mitchell45 (UID 98149) |
|---|
| Представление | 11.05.2026 12:34 (24 дни назад) |
|---|
| Модерация | 31.05.2026 18:30 (20 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 367577 [DevaslanPHP project-management до 2.0.0-beta1 Livewire ViewTicket.php editComment/doDeleteComment эскалация привилегий] |
|---|
| Баллы | 20 |
|---|