Same plate number Inventory Exploit

[gringoDiaz]

Describe the bug There is an exploit in the FiveM ox_inventory system that allows a player to access another player's car inventory. Specifically, if a player puts an item in their car (for example, a Kuruma with the plate "ABC 123"), another player can exploit a bug to duplicate the plate number. If they change their vehicle's plate to match the original ("ABC 123"), they gain access to the first player's car inventory and can retrieve all items stored inside.

Although most plate number changers have anti-duplication measures, this bug allows for bypassing those protections, creating a significant security issue.

Framework QBOX

Resource version version '2.42.3'

To Reproduce Steps to reproduce the behavior:

1. Put an item in your vehicle (e.g., Kuruma with plate "ABC 123").
2. Another player uses a bug to copy your plate number.
3. The second player changes their vehicle's plate to match yours.
4. The second player can now access your car's inventory and retrieve items.

Expected behavior Players should not be able to access another player's vehicle inventory, even if they change their plate number to match. Proper security measures should prevent unauthorized access.

Screenshots

Additional context This issue poses a major risk to inventory security within the game and needs urgent attention to ensure fair gameplay.

[thelindat]

Cheating isn't a bug and GTAV/FiveM is pretty much all client-sided. I've added some additional security checks but it will lead to some cases where trunks/gloveboxes being unavailable on vehicles with a duplicate plate - which may take some time to clear on entity deletion.

Vehicle ownership checks are framework-specific so I can't say for sure if it works outside of ox_core, but it prevents accessing the owned inventory - creating a temporary one instead.