DevaslanPHP Project Management Livewire Component Authorization Bypass Vulnerability

An authorization bypass vulnerability has been identified in the DevaslanPHP project management application, specifically in versions up to 2.0.0-beta1. The issue resides within the Livewire component, in the 'editComment' and 'doDeleteComment' methods of the 'ViewTicket' resource page. This vulnerability allows remote attackers to manipulate comment IDs and bypass authorization checks, as the methods can be called directly without proper server-side validation. While the UI restricts access to certain users, this safeguard can be easily circumvented.

Impact

Exploitation of this vulnerability allows for unauthorized editing and deletion of comments on tickets, potentially leading to manipulation of ticket histories and project management records.

Reproduction

To reproduce this vulnerability, access the 'ViewTicket' page within the DevaslanPHP project management application. Use the Livewire 'editComment' or 'doDeleteComment' methods, providing a comment ID as an argument. These methods will execute without the necessary authorization checks, allowing for unauthorized comment modifications or deletions.

Remediation

Users are advised to update to the latest version of the DevaslanPHP project management application, where this vulnerability has been addressed.