solidinvoice/solidinvoice: Authorization Bypass in Symfony LiveComponent Actions
Four authorization bypass vulnerabilities in Symfony LiveComponent actions: Cross-User API Token Revocation, Cross-User API Token History Disclosure, Cross-User Notification Transport Settings Disclosure, and Cross-User Notification Transport Setting Takeover.
What changed
Four authorization bypass vulnerabilities in Symfony LiveComponent actions: Cross-User API Token Revocation, Cross-User API Token History Disclosure, Cross-User Notification Transport Settings Disclosure, and Cross-User Notification Transport Setting Takeover. LiveComponent actions accept entity IDs without verifying ownership, allowing any authenticated user within a company to access, modify, or delete other users' API tokens and notification transport settings.
Who it affects
All authenticated users of solidinvoice/solidinvoice applications using Symfony LiveComponents. Attackers can revoke API tokens, disclose token history (IPs, user agents), and steal notification transport credentials (Slack, Discord, Telegram, SMS API keys).
What to do today
Apply the suggested fix: add user ownership verification in each LiveAction/LiveProp before performing operations, e.g., `if ($token->getUser() !== $this->security->getUser()) { throw $this->createAccessDeniedException(); }`.