| 标题 | devaslanphp project-management < 2.0.0-beta1 Improper Authorization |
|---|
| 描述 | A systemic authorization vulnerability affecting multiple components was found in devaslanphp/project-management (up to version 2.0.0-beta1). Rated as critical, this issue encompasses 12 distinct authorization flaws across the application. Key impacts include:
Cross-project ticket status manipulation via the Livewire listener KanbanScrumHelper::recordUpdated() due to missing ownership checks.
Arbitrary ticket, project, and sprint deletion because delete methods in their respective policies (e.g., TicketPolicy) fail to verify resource ownership.
Arbitrary comment modification and deletion in ViewTicket.php.
Unrestricted access to all users' timesheets due to the complete absence of a TicketHourPolicy for the TimesheetResource.
UI-only authorization patterns where administrative pages and dashboard widgets hide navigation links but do not prevent direct URL access or data scoping.
These vulnerabilities allow authenticated attackers to manipulate, delete, or view sensitive cross-project data. The issues were remediated in commit 30a6a76 by implementing comprehensive server-side access controls, policy ownership checks, and proper data scoping.
Issue Link: https://github.com/devaslanphp/project-management/issues/141
Fix Commit: https://github.com/devaslanphp/project-management/commit/30a6a76 |
|---|
| 来源 | ⚠️ https://github.com/devaslanphp/project-management/issues/141 |
|---|
| 用户 | Mitchell_45 (UID 98150) |
|---|
| 提交 | 2026-05-11 12時36分 (26 日前) |
|---|
| 管理 | 2026-05-31 18時30分 (20 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 367578 [DevaslanPHP project-management 直到 2.0.0-beta1 Ticket KanbanScrumHelper.php recordUpdated 权限提升] |
|---|
| 积分 | 20 |
|---|