Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
solidtime vulnerable to IDOR in private projects
Vulnerability Description
solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index() endpoint correctly applies the visibleByEmployee() scope, but show() does not. This issue has been patched in version 0.11.6.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
solidtime 安全漏洞
Vulnerability Description
solidtime是solidtime开源的一个开源的时间追踪应用。 solidtime 0.11.6之前版本存在安全漏洞,该漏洞源于项目详情端点未正确应用visibleByEmployee()范围,可能导致任何经过身份验证的员工通过UUID访问组织内的任何项目,包括其非成员的私有项目。
CVSS Information
N/A
Vulnerability Type
N/A