Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0036251 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| backport | [Openbravo ERP] 09. Financial management | major | have not tried | 2017-06-13 08:58 | 2017-06-15 10:08 | |||
| Reporter | alostale | View Status | public | |||||
| Assigned To | collazoandy4 | |||||||
| Priority | immediate | Resolution | fixed | Fixed in Version | 3.0PR17Q2.1 | |||
| Status | closed | Fix in branch | Fixed in SCM revision | fc8d674b25c5 | ||||
| Projection | none | ETA | none | Target Version | 3.0PR17Q2.1 | |||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | SCM revision | |||||||
| Review Assigned To | aferraz | |||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0036251: Security problem in Create Budget Reports in Excel report | |||||||
| Description | SQL injection security problem in Create Budget Reports in Excel report. Problem is how ReportBudgetGenerateExcel.printPageDataExcel method creates the query. Parameters are appended to the query without being parsed to avoid SQL injection. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9437 [^] | |||||||
| Steps To Reproduce | - | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
||||||||
|
||||||||
 Relationships |
|
Notes |
|
|
(0097404) hgbot (developer) 2017-06-15 09:15 |
Repository: erp/backports/3.0PR17Q2.1 Changeset: fc8d674b25c591ecba1803292c1a6f6bd80c2845 Author: Armaignac <collazoandy4 <at> gmail.com> Date: Wed Jun 14 11:47:03 2017 -0400 URL: http://code.openbravo.com/erp/backports/3.0PR17Q2.1/rev/fc8d674b25c591ecba1803292c1a6f6bd80c2845 [^] Fixes issue 36251: Security problem in Create Budget Reports in Excel report SQL injection security problem in Create Budget Reports in Excel report. A UUID filter was added to check the params cAccountId and inpcAcctSchemaId. --- M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java --- |
|
(0097409) aferraz (manager) 2017-06-15 10:08 |
Code review OK |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2017-06-14 11:34 | aferraz | Type | defect => backport |
| 2017-06-14 11:34 | aferraz | Target Version | => 3.0PR17Q2.1 |
| 2017-06-15 09:15 | hgbot | Checkin | |
| 2017-06-15 09:15 | hgbot | Note Added: 0097404 | |
| 2017-06-15 09:15 | hgbot | Status | scheduled => resolved |
| 2017-06-15 09:15 | hgbot | Resolution | open => fixed |
| 2017-06-15 09:15 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/backports/3.0PR17Q2.1/rev/fc8d674b25c591ecba1803292c1a6f6bd80c2845 [^] |
| 2017-06-15 10:08 | aferraz | Review Assigned To | => aferraz |
| 2017-06-15 10:08 | aferraz | Note Added: 0097409 | |
| 2017-06-15 10:08 | aferraz | Status | resolved => closed |
| 2017-06-15 10:08 | aferraz | Fixed in Version | => 3.0PR17Q2.1 |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |