📄 Description (English)
A vulnerability has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this issue is the function KanbanScrumHelper::recordUpdated of the file app/Helpers/KanbanScrumHelper.php of the component Ticket Handler. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The project was informed of the problem early through an issue report but has not responded yet.
🤖 AI Executive Summary
CVE-2026-10285 is a medium-severity improper authorization vulnerability in DevaslanPHP project management software affecting versions up to 2.0.0-beta1. The vulnerability exists in the Ticket Handler component's KanbanScrumHelper class, allowing remote attackers to bypass authorization controls. With no patch currently available and the project unresponsive to disclosure, organizations using this software face elevated risk of unauthorized ticket/project access.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 2, 2026 00:34
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using DevaslanPHP for project management—particularly in government agencies (NCA, CITC), financial institutions managing internal projects, and healthcare facilities using this platform—face unauthorized access risks to sensitive project tickets and data. The vulnerability could allow attackers to view, modify, or delete confidential project information without proper authorization. Government entities and critical infrastructure operators are at highest risk due to the sensitivity of project management data containing strategic information.
🏢 Affected Saudi Sectors
Government (NCA, CITC, Ministry entities)
Banking and Financial Services
Healthcare
Energy and Utilities
Telecommunications
Education
Manufacturing
🎯 MITRE ATT&CK Techniques
T1078 - Valid Accounts (leveraging improper authorization to access accounts)
T1548 - Abuse Elevation Control Mechanism (bypassing authorization controls)
T1526 - Reconnaissance (gathering information about project structure via unauthorized access)
T1087 - Account Discovery (discovering user accounts through ticket system access)
T1530 - Data from Cloud Storage (accessing sensitive project data without authorization)
⚖️ Saudi Risk Score (AI)
6.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Audit all DevaslanPHP installations to identify affected versions (up to 2.0.0-beta1)
2. Review access logs for the KanbanScrumHelper::recordUpdated function for suspicious activity
3. Restrict network access to DevaslanPHP instances using firewall rules and VPN requirements
4. Disable public-facing project management interfaces if not essential
Compensating Controls:
5. Implement Web Application Firewall (WAF) rules to monitor and block suspicious ticket handler requests
6. Apply principle of least privilege—ensure user roles have minimal necessary permissions
7. Enable comprehensive audit logging for all ticket modifications
8. Implement additional authentication layer (MFA) for project management access
9. Monitor for unauthorized ticket access patterns using SIEM
Patching Strategy:
10. Contact DevaslanPHP project maintainers directly for security patch timeline
11. Evaluate migration to alternative, actively maintained project management solutions
12. If upgrade available, test thoroughly in staging environment before production deployment
Detection Rules:
- Monitor for direct calls to app/Helpers/KanbanScrumHelper.php recordUpdated function
- Alert on ticket modifications by users without explicit authorization
- Track failed authorization attempts on ticket handler endpoints
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات DevaslanPHP لتحديد الإصدارات المتأثرة (حتى 2.0.0-beta1)
2. مراجعة سجلات الوصول لدالة KanbanScrumHelper::recordUpdated للنشاط المريب
3. تقييد الوصول إلى شبكة لمثيلات DevaslanPHP باستخدام قواعد جدار الحماية ومتطلبات VPN
4. تعطيل واجهات إدارة المشاريع المكشوفة للعامة إن لم تكن ضرورية
عناصر التحكم التعويضية:
5. تطبيق قواعد جدار تطبيقات الويب (WAF) لمراقبة وحظر طلبات معالج التذاكر المريبة
6. تطبيق مبدأ أقل امتياز - التأكد من أن أدوار المستخدمين لها أقل صلاحيات ضرورية
7. تفعيل تسجيل التدقيق الشامل لجميع تعديلات التذاكر
8. تطبيق طبقة مصادقة إضافية (MFA) لوصول إدارة المشاريع
9. مراقبة أنماط الوصول غير المصرح به للتذاكر باستخدام SIEM
استراتيجية التصحيح:
10. الاتصال المباشر بمشروع DevaslanPHP للحصول على جدول زمني لتصحيح الأمان
11. تقييم الهجرة إلى حلول إدارة مشاريع بديلة يتم صيانتها بنشاط
12. إذا كان التحديث متاحاً، اختبره بدقة في بيئة التجريب قبل النشر الإنتاجي
قواعد الكشف:
- مراقبة الاستدعاءات المباشرة لدالة recordUpdated في app/Helpers/KanbanScrumHelper.php
- تنبيه على تعديلات التذاكر من قبل مستخدمين بدون تفويض صريح
- تتبع محاولات التفويض الفاشلة على نقاط نهاية معالج التذاكر
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.1.1 - Access Control Policy (improper authorization violates access control principles)
ECC 2024 A.9.2.1 - User Registration and De-registration (unauthorized access to user functions)
ECC 2024 A.9.4.3 - Review of User Access Rights (requires monitoring of unauthorized access attempts)
ECC 2024 A.12.4.1 - Event Logging (requires comprehensive audit trails for authorization failures)
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Asset Management (identify and manage vulnerable software assets)
SAMA CSF PR.AC-1 - Access Control Policy (improper authorization is direct violation)
SAMA CSF PR.AC-4 - Access Rights Management (authorization bypass requires immediate remediation)
SAMA CSF DE.CM-1 - Detection Processes (monitor for unauthorized access patterns)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access Control (authorization controls must be properly implemented)
ISO 27001:2022 A.8.2 - User Access Management (improper authorization violates user access requirements)
ISO 27001:2022 A.8.3 - User Responsibilities (users must not bypass authorization controls)
ISO 27001:2022 A.8.33 - Information Security Event Logging (requires audit trails for authorization failures)
🟣 PCI DSS v4.0.1
PCI DSS 7.1 - Limit Access to System Components (authorization bypass violates access control)
PCI DSS 7.2 - Ensure User Identity is Properly Identified (improper authorization affects identity verification)
PCI DSS 10.2 - Implement Automated Audit Trails (requires logging of authorization failures)
🔗 References & Sources 6
🔗
🔗
🔗
🔗
🔗
🔗
https://github.com/devaslanphp/project-management/
cna@vuldb.com
https://github.com/devaslanphp/project-management/issues/141
cna@vuldb.com
https://vuldb.com/cve/CVE-2026-10285
cna@vuldb.com
https://vuldb.com/submit/825475
cna@vuldb.com
https://vuldb.com/vuln/367578
cna@vuldb.com
https://vuldb.com/vuln/367578/cti
cna@vuldb.com