| 标题 | Mettle sendportal v3.0.1 Improper Access Controls |
|---|
| 描述 | The destroy() method in WorkspaceInvitationsController allows any workspace owner to delete invitations belonging to any other workspace (IDOR - CWE-639).
Vulnerability Details
File: app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php, lines 42-47
public function destroy(Invitation $invitation): RedirectResponse
{
$invitation->delete(); // No workspace ownership check
return redirect()->route('users.index');
}
The route group at routes/web.php line 59 applies OwnsCurrentWorkspace::class middleware, which verifies the user owns their current workspace — but does NOT verify the {invitation} parameter belongs to that workspace. Laravel route model binding resolves ANY invitation by ID. |
|---|
| 来源 | ⚠️ https://github.com/mettle/sendportal/issues/337 |
|---|
| 用户 | B1scuit (UID 97177) |
|---|
| 提交 | 2026-05-08 07時52分 (1 月前) |
|---|
| 管理 | 2026-05-31 10時14分 (23 days later) |
|---|
| 状态 | 重复 |
|---|
| VulDB条目 | 359744 [mettle sendportal 直到 3.0.1 Invitation WorkspaceInvitationsController.php destroy invitation 权限提升] |
|---|
| 积分 | 0 |
|---|