Summary
The campaign creation/update validation rules for email_service_id and template_id use bare exists rules that check global table existence without workspace scoping. This allows users in one workspace to reference email services and templates belonging to other workspaces.
Affected Code
File: src/Http/Requests/CampaignStoreRequest.php, lines 39-48
'email_service_id' => [
'required',
'integer',
'exists:sendportal_email_services,id', // No workspace_id check
],
'template_id' => [
'nullable',
'exists:sendportal_templates,id', // No workspace_id check
],Same issue in CampaignTemplateUpdateRequest.php, line 27.
Impact
- Email service credential abuse (MEDIUM): When a campaign is dispatched or previewed, the system loads the referenced email service including encrypted API credentials (Mailgun/SendGrid/SES/SMTP) via the
$campaign->email_service relationship. An attacker's campaign uses the victim's sending infrastructure.
- Template content disclosure (LOW-MEDIUM): Campaign preview renders the referenced template's HTML content via
getMergedContentAttribute().
Secure Comparison
The same request class correctly validates tags with workspace-scoped Rule::in($tags) where $tags is fetched from TagTenantRepository::pluck($workspaceId). The CanAccessTag and CanAccessSubscriber rules also properly check workspace ownership.
Fix
'email_service_id' => [
'required',
'integer',
Rule::exists('sendportal_email_services', 'id')
->where('workspace_id', Sendportal::currentWorkspaceId()),
],
'template_id' => [
'nullable',
Rule::exists('sendportal_templates', 'id')
->where('workspace_id', Sendportal::currentWorkspaceId()),
],Additional Issue
WorkspaceUsersController::destroy uses User::find($userId) globally and unconditionally sets current_workspace_id = null, allowing any workspace owner to disrupt another user's session (low severity, auto-recovery on next request).
Summary
The campaign creation/update validation rules for
email_service_idandtemplate_iduse bareexistsrules that check global table existence without workspace scoping. This allows users in one workspace to reference email services and templates belonging to other workspaces.Affected Code
File:
src/Http/Requests/CampaignStoreRequest.php, lines 39-48Same issue in
CampaignTemplateUpdateRequest.php, line 27.Impact
$campaign->email_servicerelationship. An attacker's campaign uses the victim's sending infrastructure.getMergedContentAttribute().Secure Comparison
The same request class correctly validates tags with workspace-scoped
Rule::in($tags)where$tagsis fetched fromTagTenantRepository::pluck($workspaceId). TheCanAccessTagandCanAccessSubscriberrules also properly check workspace ownership.Fix
Additional Issue
WorkspaceUsersController::destroyusesUser::find($userId)globally and unconditionally setscurrent_workspace_id = null, allowing any workspace owner to disrupt another user's session (low severity, auto-recovery on next request).