Mettle Sendportal Authorization Bypass Vulnerability in Invitation Management

An authorization bypass vulnerability has been identified in Mettle Sendportal versions through 3.0.1. The issue arises in the 'destroy' function of the 'WorkspaceInvitationsController.php' file, within the Invitation Handler component. This vulnerability allows workspace owners to delete invitations from other workspaces, creating an insecure direct object reference (IDOR) situation. The flaw can be exploited remotely.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of invitation records across different workspaces, potentially disrupting workflow and invitation management processes.

Reproduction

To reproduce this vulnerability, a workspace owner can send a request to the 'destroy' method of the 'WorkspaceInvitationsController'. The request must include an invitation ID that belongs to a different workspace. The absence of a proper ownership check will allow the invitation to be deleted, demonstrating the authorization bypass.

Remediation

It is recommended to update the 'destroy' method to include a validation check that ensures the invitation being deleted belongs to the user's current workspace. This can be done by comparing the invitation's workspace ID with the ID of the user's current workspace.