Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0034491 | Openbravo ERP | A. Platform | public | 2016-11-14 13:24 | 2022-02-01 08:05 |
|
| Reporter | caristu | |
| Assigned To | Triage Platform Base | |
| Priority | high | Severity | minor | Reproducibility | always |
| Status | acknowledged | Resolution | open | |
| Platform | | OS | 5 | OS Version | |
| Product Version | | |
| Target Version | | Fixed in Version | | |
| Merge Request Status | |
| Review Assigned To | AugustoMauch |
| OBNetwork customer | |
| Web browser | |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0034491: Review access for DeleteImageActionHandler class |
| Description | It is possible to delete images different from the last recently added if they are accessible by the client and organization of the login context. |
| Steps To Reproduce | In description |
| Proposed Solution | The DeleteImageActionHandler should not delete any image but the ones created and dropped during record creation (see issue 0026253) |
| Additional Information | |
| Tags | security |
| Relationships | | related to | defect | 0026253 | 3.0PR14Q3 | closed | guillermogil | Trash button in product window, image field is not removing the image from database | | related to | defect | 0041748 | | closed | cberner | DeleteImageActionHandler is vulnerable to CSRF attacks |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2016-11-14 13:24 | caristu | New Issue | |
| 2016-11-14 13:24 | caristu | Assigned To | => platform |
| 2016-11-14 13:24 | caristu | Modules | => Core |
| 2016-11-14 13:24 | caristu | Triggers an Emergency Pack | => No |
| 2016-11-14 13:24 | caristu | Relationship added | related to 0034490 |
| 2016-11-14 13:30 | caristu | Steps to Reproduce Updated | bug_revision_view_page.php?rev_id=13681#r13681 |
| 2016-11-14 13:30 | caristu | Proposed Solution updated | |
| 2016-11-14 13:30 | caristu | Relationship added | related to 0026253 |
| 2016-11-14 13:30 | caristu | Proposed Solution updated | |
| 2016-11-14 13:31 | caristu | Description Updated | bug_revision_view_page.php?rev_id=13683#r13683 |
| 2016-11-14 13:31 | caristu | File Added: curlDeleteImage.txt | |
| 2016-11-14 13:47 | caristu | Steps to Reproduce Updated | bug_revision_view_page.php?rev_id=13687#r13687 |
| 2016-11-14 17:50 | caristu | Summary | [clustering] DeleteImageActionHandler is unsecure => [clustering] Review access for DeleteImageActionHandler class |
| 2016-11-14 17:50 | caristu | Description Updated | bug_revision_view_page.php?rev_id=13701#r13701 |
| 2016-11-14 17:50 | caristu | Steps to Reproduce Updated | bug_revision_view_page.php?rev_id=13702#r13702 |
| 2016-11-14 17:58 | caristu | File Deleted: curlDeleteImage.txt | |
| 2016-11-15 11:14 | caristu | Summary | [clustering] Review access for DeleteImageActionHandler class => Review access for DeleteImageActionHandler class |
| 2016-11-16 16:39 | alostale | Relationship deleted | related to 0034490 |
| 2016-12-01 12:18 | alostale | Status | new => acknowledged |
| 2016-12-01 14:03 | alostale | Priority | normal => high |
| 2016-12-16 14:45 | caristu | Tag Attached: security | |
| 2019-08-23 13:55 | cberner | Assigned To | platform => cberner |
| 2019-08-27 09:28 | cberner | Status | acknowledged => scheduled |
| 2019-08-27 09:28 | cberner | Review Assigned To | => AugustoMauch |
| 2019-08-28 08:09 | cberner | Status | scheduled => acknowledged |
| 2019-09-04 12:43 | cberner | Relationship added | related to 0041748 |
| 2019-12-26 11:48 | cberner | Assigned To | cberner => platform |
| 2022-02-01 08:05 | alostale | Assigned To | platform => Triage Platform Base |