Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authoriz…

Vito, a self-hosted web application for managing servers and deploying PHP applications, contains a missing authorization check vulnerability in workflow site-creation actions prior to version 3.20.3. The vulnerability allows authenticated attackers with workflow write access in one project to create and manage sites on servers belonging to other projects by supplying a foreign server_id. This represents a privilege escalation issue that could allow unauthorized cross-project access. The vulnerability has been patched in version 3.20.3.