php · paymenter/paymenterHeads-up
paymenter/paymenter: Missing ownership validation in ticket creation endpoint
The ticket creation endpoint no longer accepts a user-supplied service identifier without enforcing ownership validation.
What changed
The ticket creation endpoint no longer accepts a user-supplied service identifier without enforcing ownership validation.
Who it affects
Authenticated users who could create support tickets referencing services belonging to other accounts.
What to do today
Update to the latest patched version of paymenter/paymenter to enforce ownership validation on the ticket creation endpoint.
The trail
Collected→
Audited→
Written→
Published