Summary
Four authorization bypass vulnerabilities in Symfony LiveComponent actions allow any authenticated user within a company to access, modify, or delete other users' API tokens and notification transport settings. The root cause is that LiveComponent actions accept entity IDs without verifying ownership, while the listing methods correctly filter by user.
Findings
1. Cross-User API Token Revocation (MEDIUM)
File: src/UserBundle/Twig/Components/ApiTokens.php, lines 50-55
The revoke() LiveAction accepts any ApiToken via #[LiveArg] without checking ownership. The apiTokens() method correctly filters by user (getApiTokensForUser($this->security->getUser())).
#[LiveAction]
public function revoke(#[LiveArg] ApiToken $token): void
{
$this->apiTokenRepository->revoke($token); // No ownership check
}
2. Cross-User API Token History Disclosure (MEDIUM)
File: src/UserBundle/Twig/Components/ApiTokenHistory.php, lines 30-55
The writable $token LiveProp performs $this->apiTokenRepository->find($this->token) without user verification. Exposes IP addresses, request methods, paths, and user agents from other users' API token usage.
3. Cross-User Notification Transport Settings Disclosure (HIGH)
File: src/NotificationBundle/Twig/Components/NotificationIntegrations.php, lines 48-55
The integration() method performs $this->repository->find($this->setting) using a writable LiveProp without user check. The enabledIntegrations() method correctly filters: $this->repository->findBy(['user' => $this->getUser()]).
The TransportSetting entity stores notification credentials in a JSON settings column, potentially exposing API keys for Slack, Discord, Telegram, or SMS services.
4. Cross-User Notification Transport Setting Takeover (HIGH)
File: src/NotificationBundle/Twig/Components/NotificationTransportConfiguration.php, lines 39-40, 84-101
The writable $setting LiveProp accepts any TransportSetting entity. The save() action overwrites the user field with the current user via $setting->setUser($user), effectively stealing the transport configuration and its stored credentials.
Root Cause
The application relies on Doctrine's CompanyFilter for tenant isolation but has no user-level access controls within a company. LiveComponent actions that resolve entities from client-provided IDs don't verify ownership.
Suggested Fix
Add user ownership verification in each LiveAction/LiveProp before performing operations:
if ($token->getUser() !== $this->security->getUser()) {
throw $this->createAccessDeniedException();
}
References
Summary
Four authorization bypass vulnerabilities in Symfony LiveComponent actions allow any authenticated user within a company to access, modify, or delete other users' API tokens and notification transport settings. The root cause is that LiveComponent actions accept entity IDs without verifying ownership, while the listing methods correctly filter by user.
Findings
1. Cross-User API Token Revocation (MEDIUM)
File:
src/UserBundle/Twig/Components/ApiTokens.php, lines 50-55The
revoke()LiveAction accepts anyApiTokenvia#[LiveArg]without checking ownership. TheapiTokens()method correctly filters by user (getApiTokensForUser($this->security->getUser())).2. Cross-User API Token History Disclosure (MEDIUM)
File:
src/UserBundle/Twig/Components/ApiTokenHistory.php, lines 30-55The writable
$tokenLiveProp performs$this->apiTokenRepository->find($this->token)without user verification. Exposes IP addresses, request methods, paths, and user agents from other users' API token usage.3. Cross-User Notification Transport Settings Disclosure (HIGH)
File:
src/NotificationBundle/Twig/Components/NotificationIntegrations.php, lines 48-55The
integration()method performs$this->repository->find($this->setting)using a writable LiveProp without user check. TheenabledIntegrations()method correctly filters:$this->repository->findBy(['user' => $this->getUser()]).The
TransportSettingentity stores notification credentials in a JSONsettingscolumn, potentially exposing API keys for Slack, Discord, Telegram, or SMS services.4. Cross-User Notification Transport Setting Takeover (HIGH)
File:
src/NotificationBundle/Twig/Components/NotificationTransportConfiguration.php, lines 39-40, 84-101The writable
$settingLiveProp accepts anyTransportSettingentity. Thesave()action overwrites the user field with the current user via$setting->setUser($user), effectively stealing the transport configuration and its stored credentials.Root Cause
The application relies on Doctrine's
CompanyFilterfor tenant isolation but has no user-level access controls within a company. LiveComponent actions that resolve entities from client-provided IDs don't verify ownership.Suggested Fix
Add user ownership verification in each LiveAction/LiveProp before performing operations:
References