GHSA-q2f8-hpwm-236jMedium
Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app...
🔗 CVE IDs covered (1)
📋 Description
Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.
🔗 References (5)
- https://nvd.nist.gov/vuln/detail/CVE-2026-59234
- https://github.com/Roskus/prospero-flow-crm/commit/8c26eed4d80544c30e55448e12a8e999af6d2b70
- https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.5.3
- https://secur0.com/en/cna/cve-list/cve-2026-59234-idor-in-prospero-flow-crm-allows-deletion-of-other-users-calendar-events
- https://github.com/advisories/GHSA-q2f8-hpwm-236j