"package_name" can be set as desired when submitting a Pentest Opportunity form

**Summary:** Hello Team, While filling up the Pentest Opportunity form, the mutation `AutoSavePentestOpportunity` allowed me to set value to `package_name` (i.e =="package_name": "premium_p80"==) which should be done only by ***the internal reviewing staff*** upon submitting the form. ### Steps To Reproduce 1. Create New Pentest 2. Intercept using burp and wait for auto update function to begin 3. You will see the following query ``` mutation AutosavePentestOpportunity($input: AutosavePentestOpportunityInput!) { autosavePentestOpportunity(input: $input) { was_successful errors(first: 100) { edges { node { id type field message __typename } __typename } __typename } __typename } } ``` 4. Include this line before forwarding the request `"package_name": "premium_p80"` ███████ 5. Complete the form and submit it 6. Now, reopen the submitted form to check if `OpportunityStatusQuery` mutation shows the field ==package_name== as set before. ██████████ Check POC Video ██████████ A similar report: #2040756 ## Impact Improper access control