Cross-user Fixer/API Layer credential consumption in exchange-rate refresh let one user trigger provider-backed actions through another user's stored credential.
CVEs
A curated list of CVEs I’ve picked up so far.
11 published entries
Cross-user subscription cost inference via replacement_subscription_id let an authenticated user infer another user subscription cost through unscoped stats dereferencing.
Inconsistent scope enforcement for AttachAction and AssociateAction Select fields let out-of-scope records pass through backend validation.
Authenticated cross-tenant credential disclosure exposed another client secrets through an unprotected credential modal.
Payment methods, currencies, and carriers exposed inline toggles and record actions without proper per-action authorization checks.
Team settings authorization defects let authenticated panel users take over the RBAC system itself.
Multiple admin Livewire issues led to data tampering, sensitive data disclosure, and stored XSS.
Product editor sub-form Livewire components accepted unauthorized store actions and allowed tampering without the required permission.
A discount race condition enabled silent over-redemption and effectively bypassed the per-user usage limit.
Missing authorization on order mutation actions let low-privileged authenticated users mutate order state without the required write permission.
A generic download endpoint let authenticated users use one valid record as an authorization anchor to download unrelated Laravel Storage objects.