Identical Project Names via Move Issue Drop Down leads to Confusion

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #3019236 by foxribeye on 2025-03-01, assigned to @greg:

Report | Attachments | How To Reproduce

Report

My previous report (#2705566) is similar to this one. A fix is in progress, but I’m unsure if it will also apply to the Move Issue dropdown, so I'm just going to report this.

The bug is the dropdown can show duplicate project names since it doesn’t use unique slugs.

An attacker could create a project with the same name as a victim’s. The victim might select the wrong project since it's impossible to tell them apart, potentially moving a confidential issue to the wrong project.

Steps to reproduce:

1. As the victim, create a confidential issue in a project (e.g., "OtherProject").
2. As the victim, create a project named "Project1" to move the issue into.
3. As the attacker, create a project also named "Project1" and add the victim as an owner, then make your display name the victim's profile name "Victim".
4. As the victim, open the Move Issue dropdown in the confidential issue, select "Project1" and move issue, notice you can't distinguish between the victim’s "Project1" and the attacker’s "Project1".
5. As the attacker, view the issues and see that the confidential issue has been moved to the attacker’s "Project1".

Poc:

duplicateProjctName.mp4

Impact

Duplicate project names in move issue drop down menu, can result in confidential issues moved into incorrect project.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• duplicateProjctName.mp4

How To Reproduce

Please add reproducibility information to this section: