| tiêu đề | devaslanphp project-management < 2.0.0-beta1 Improper Authorization |
|---|
| Mô tả | Multiple improper authorization and Insecure Direct Object Reference (IDOR) vulnerabilities were found in devaslanphp/project-management (up to version 2.0.0-beta1). It has been rated as high severity. The vulnerabilities stem from the lack of server-side authorization validation in several Livewire component methods and Laravel policies. Specifically:
KanbanScrumHelper::recordUpdated() allows any authenticated user to modify the status and order of any ticket across all projects.
ViewTicket::doDeleteComment() and editComment() allow arbitrary deletion/modification of comments by bypassing UI-only checks.
Deletion methods in TicketPolicy, ProjectPolicy, and SprintPolicy lack ownership verification.
TimesheetResource lacks scoping, exposing all users' timesheet entries.
These flaws allow authenticated attackers to manipulate or delete resources belonging to other users.
Issue: https://github.com/devaslanphp/project-management/issues/140
Fix Commit: https://github.com/devaslanphp/project-management/commit/30a6a76 |
|---|
| Nguồn | ⚠️ https://github.com/devaslanphp/project-management/issues/140 |
|---|
| Người dùng | Mitchell45 (UID 98149) |
|---|
| Đệ trình | 11/05/2026 12:34 (cách đây 28 ngày) |
|---|
| Kiểm duyệt | 31/05/2026 18:30 (20 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 367577 [DevaslanPHP project-management đến 2.0.0-beta1 Livewire ViewTicket.php editComment/doDeleteComment nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|