Solidtime Cross-Organization Time Entry Modification Vulnerability

A vulnerability in the solidtime time-tracking application, specifically in version 0.12.0, allows users to modify time entries from other organizations. This issue arises in the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API, where the route-bound time entry can be altered and reassigned to objects within the user's organization. The vulnerability exists because the permission check does not properly validate the organization ownership of the time entry being updated.

Impact

Exploitation of this vulnerability leads to unauthorized modifications of time entry records across different organizations, causing integrity issues by corrupting organizational references. This cross-tenant data manipulation also disrupts project and task aggregation reports by introducing inaccurate time entry data from other organizations.

Reproduction

To reproduce this vulnerability, first, obtain an account with 'time-entries:update:all' permission in one organization (referred to as orgA). Then, identify a time entry UUID from a different organization (orgB) that is known to the user. With this information, send a PUT request to the time entry update endpoint for orgA, including the foreign time entry UUID and any project or task IDs that belong to orgA. After the request is processed, the time entry in orgB will be updated with references to orgA's objects, demonstrating the cross-organization modification flaw.

Remediation

Users are advised to update to solidtime version 0.12.1, where this vulnerability has been patched.