solidtime Insecure Direct Object Reference Vulnerability in Project Detail Endpoint

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in solidtime, an open-source time-tracking application. This issue affects versions prior to 0.11.6. The vulnerability arises in the project detail endpoint, specifically 'GET /api/v1/organizations/{org}/projects/{project}', where any authenticated employee can access projects by UUID, including private ones they do not belong to. The 'index()' endpoint properly applies the visibility scope for employees, but the 'show()' endpoint fails to do so, allowing unauthorized access to private project details.

Impact

Exploitation of this vulnerability allows employees to access private project information, including names and metadata, such as billable rates, if applicable. This could lead to unauthorized disclosure of sensitive business information.

Reproduction

To reproduce this vulnerability, an authenticated employee can use the 'show()' endpoint to access a private project by its UUID, bypassing the intended visibility restrictions. This can be done after creating a private project as an owner and then attempting to access it as an employee who is not a member of the project.

Remediation

Users are advised to upgrade to solidtime version 0.11.6, which includes a patch for this vulnerability by adding the necessary visibility check in the 'show()' endpoint.