DevaslanPHP Project Management Improper Authorization Vulnerability in Ticket Handler Component

An improper authorization vulnerability has been identified in the DevaslanPHP project management application, specifically in versions up to 2.0.0-beta1. The issue resides in the KanbanScrumHelper::recordUpdated function within the Ticket Handler component. This vulnerability allows for cross-project ticket status manipulation by bypassing ownership and project membership checks. The flaw can be exploited remotely via the Livewire wire protocol, enabling unauthorized users to alter the status of any ticket.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of ticket statuses across different projects, potentially leading to mismanagement of project workflows and ticketing systems.

Reproduction

To reproduce this vulnerability, access the Kanban or Scrum board page of a project. The page will be scoped to the user's project, but the vulnerable function can be called with any ticket ID via the Livewire wire protocol. This will result in unauthorized changes to the ticket's status, demonstrating the lack of proper authorization checks.

Remediation

Users are advised to update to a version that includes the necessary authorization checks for the `recordUpdated()` function. Additionally, ownership checks should be added to the delete policies of the Ticket, Project, and Sprint resources.