Highpepicrft

**Name of the Vulnerable Software and Affected Versions** Tuist versions prior to 1.180.9 **Description** The "DELETE /api/projects/{account handle}/{project handle}/previews/{preview id}" endpoint loads a preview by its UUID without verifying that the preview belongs to the project resolved from the URL path. The project-level authorization plug `AuthorizationPlug, :preview` authorizes the caller against the project encoded in `account handle` and `project handle`, which can be controlled by an attacker, allowing the deletion of any preview UUID supplied. **Recommendations** Update to a version later than 1.180.8.