Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0036239 | Openbravo ERP | 09. Financial management | public | 2017-06-13 08:58 | 2017-06-16 19:02 |
|
| Reporter | alostale | |
| Assigned To | collazoandy4 | |
| Priority | immediate | Severity | major | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | |
| Platform | | OS | 5 | OS Version | |
| Product Version | | |
| Target Version | | Fixed in Version | 3.0PR17Q3 | |
| Merge Request Status | |
| Review Assigned To | aferraz |
| OBNetwork customer | |
| Web browser | |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0036239: Security problem in Create Budget Reports in Excel report |
| Description | SQL injection security problem in Create Budget Reports in Excel report.
Problem is how ReportBudgetGenerateExcel.printPageDataExcel method creates the query. Parameters are appended to the query without being parsed to avoid SQL injection.
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9437 [^] |
| Steps To Reproduce | - |
| Proposed Solution | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | depends on | backport | 0036251 | 3.0PR17Q2.1 | closed | collazoandy4 | Security problem in Create Budget Reports in Excel report | | depends on | backport | 0036252 | 3.0PR17Q1.2 | closed | collazoandy4 | Security problem in Create Budget Reports in Excel report | | blocks | design defect | 0038136 | | acknowledged | Triage Platform Base | Tracking issue: Find & Fix queries not using bind-params but embedding values into query string |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2017-06-13 08:58 | alostale | New Issue | |
| 2017-06-13 08:58 | alostale | Assigned To | => Triage Finance |
| 2017-06-13 08:58 | alostale | Modules | => Core |
| 2017-06-13 08:58 | alostale | Triggers an Emergency Pack | => No |
| 2017-06-13 09:03 | alostale | Priority | normal => immediate |
| 2017-06-13 09:08 | alostale | Issue Monitored: alostale | |
| 2017-06-13 13:12 | aferraz | Summary | CVE-2017-9437 => Security problem in Create Budget Reports in Excel report |
| 2017-06-13 13:12 | aferraz | Description Updated | bug_revision_view_page.php?rev_id=15352#r15352 |
| 2017-06-14 11:33 | aferraz | Assigned To | Triage Finance => collazoandy4 |
| 2017-06-14 11:34 | aferraz | Status | new => scheduled |
| 2017-06-15 09:17 | hgbot | Checkin | |
| 2017-06-15 09:17 | hgbot | Note Added: 0097405 | |
| 2017-06-15 09:17 | hgbot | Status | scheduled => resolved |
| 2017-06-15 09:17 | hgbot | Resolution | open => fixed |
| 2017-06-15 09:17 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/f2ee792f14ff145dc05f47f0a7c3c089dbcb3823 [^] |
| 2017-06-15 10:07 | aferraz | Review Assigned To | => aferraz |
| 2017-06-15 10:07 | aferraz | Note Added: 0097408 | |
| 2017-06-15 10:07 | aferraz | Status | resolved => closed |
| 2017-06-15 10:07 | aferraz | Fixed in Version | => 3.0PR17Q3 |
| 2017-06-16 19:02 | hudsonbot | Checkin | |
| 2017-06-16 19:02 | hudsonbot | Note Added: 0097460 | |
| 2019-06-11 09:09 | alostale | Relationship added | blocks 0038136 |