Project:
View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
ID | ||||||||
0036252 | ||||||||
Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
backport | [Openbravo ERP] 09. Financial management | major | have not tried | 2017-06-13 08:58 | 2017-06-15 10:08 | |||
Reporter | alostale | View Status | public | |||||
Assigned To | collazoandy4 | |||||||
Priority | immediate | Resolution | fixed | Fixed in Version | 3.0PR17Q1.2 | |||
Status | closed | Fix in branch | Fixed in SCM revision | 140153ba6306 | ||||
Projection | none | ETA | none | Target Version | 3.0PR17Q1.2 | |||
OS | Any | Database | Any | Java version | ||||
OS Version | Database version | Ant version | ||||||
Product Version | SCM revision | |||||||
Review Assigned To | aferraz | |||||||
Web browser | ||||||||
Modules | Core | |||||||
Regression level | ||||||||
Regression date | ||||||||
Regression introduced in release | ||||||||
Regression introduced by commit | ||||||||
Triggers an Emergency Pack | No | |||||||
Summary | 0036252: Security problem in Create Budget Reports in Excel report | |||||||
Description | SQL injection security problem in Create Budget Reports in Excel report. Problem is how ReportBudgetGenerateExcel.printPageDataExcel method creates the query. Parameters are appended to the query without being parsed to avoid SQL injection. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9437 [^] | |||||||
Steps To Reproduce | - | |||||||
Tags | No tags attached. | |||||||
Attached Files | ||||||||
Relationships [ Relation Graph ] [ Dependency Graph ] | ||||||||
|
Notes | |
(0097403) hgbot (developer) 2017-06-15 09:14 |
Repository: erp/backports/3.0PR17Q1.2 Changeset: 140153ba6306875c34e26979ad8d3bebae3f7e9b Author: Armaignac <collazoandy4 <at> gmail.com> Date: Wed Jun 14 11:47:03 2017 -0400 URL: http://code.openbravo.com/erp/backports/3.0PR17Q1.2/rev/140153ba6306875c34e26979ad8d3bebae3f7e9b [^] Fixes issue 36252: Security problem in Create Budget Reports in Excel report SQL injection security problem in Create Budget Reports in Excel report. A UUID filter was added to check the params cAccountId and inpcAcctSchemaId. --- M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java --- |
(0097410) aferraz (manager) 2017-06-15 10:08 |
Code review OK |
Issue History | |||
Date Modified | Username | Field | Change |
2017-06-14 11:34 | aferraz | Type | defect => backport |
2017-06-14 11:34 | aferraz | Target Version | => 3.0PR17Q1.2 |
2017-06-15 09:14 | hgbot | Checkin | |
2017-06-15 09:14 | hgbot | Note Added: 0097403 | |
2017-06-15 09:14 | hgbot | Status | scheduled => resolved |
2017-06-15 09:14 | hgbot | Resolution | open => fixed |
2017-06-15 09:14 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/backports/3.0PR17Q1.2/rev/140153ba6306875c34e26979ad8d3bebae3f7e9b [^] |
2017-06-15 10:08 | aferraz | Review Assigned To | => aferraz |
2017-06-15 10:08 | aferraz | Note Added: 0097410 | |
2017-06-15 10:08 | aferraz | Status | resolved => closed |
2017-06-15 10:08 | aferraz | Fixed in Version | => 3.0PR17Q1.2 |
Copyright © 2000 - 2009 MantisBT Group |