Code-Projects Invoice System Improper Authorization Vulnerability in Laravel 1.0

A critical improper authorization vulnerability has been identified in Code-Projects Invoice System version 1.0, specifically within the Invoice Endpoint. The issue arises in the '/invoice/' file, where the application fails to validate whether an invoice ID belongs to the requesting company (tenant). This oversight allows unauthorized access to view or edit invoices from other companies. The vulnerability can be exploited remotely, and a public proof-of-concept is available.

Impact

Exploitation of this vulnerability leads to unauthorized access and modification of invoice records across different companies, bypassing tenant isolation. This not only exposes sensitive billing and financial data but also allows for unauthorized changes to invoice amounts and statuses. Additionally, there is a business risk associated with the potential disclosure of customer lists and transaction histories across the platform.

Reproduction

To reproduce this vulnerability, send a GET or PUT request to the '/invoice/{id}' endpoint with an invoice ID that belongs to a different company. The absence of a company ID check in the application's authorization process will allow access to the invoice, demonstrating the cross-tenant data exposure.

Remediation

It is recommended to implement tenant checks in invoice queries, apply Laravel Policies to all actions on the Invoice model, and use scoped route model binding to enforce tenant isolation.