mirror of
https://github.com/makeplane/plane.git
synced 2026-07-09 20:10:06 +02:00
GHSA-933r-rxg8-f3h2 — EstimatePointEndpoint.create trusted the estimate_id URL parameter without verifying it belonged to the caller's workspace and project. An authenticated user in project A could inject estimate points into any other workspace's estimate by supplying a foreign estimate_id. Fix: added a workspace+project scoped Estimate ownership check before EstimatePoint.objects.create(). GHSA-933r-rxg8-f3h2 (destroy) — old_estimate_point was fetched with pk only (unscoped), allowing cross-tenant key disclosure and manipulation during the key-rearrangement step. Fix: scoped the old_estimate_point lookup to estimate_id + project_id + workspace__slug; added 404 guard for missing/foreign points. Note: BulkEstimatePointEndpoint.partial_update (GHSA-vm3j-5j49-gwrf) was already correctly scoped at lines 116 and 125-130 — no change needed. Co-authored-by: Plane AI <noreply@plane.so>