Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0052171 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| defect | [Openbravo ERP] A. Platform | major | have not tried | 2023-04-19 17:13 | 2023-04-20 07:29 | |||
| Reporter | AugustoMauch | View Status | public | |||||
| Assigned To | AugustoMauch | |||||||
| Priority | normal | Resolution | fixed | Fixed in Version | PR23Q3 | |||
| Status | closed | Fix in branch | Fixed in SCM revision | |||||
| Projection | none | ETA | none | Target Version | ||||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | SCM revision | |||||||
| Review Assigned To | ||||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0052171: Review widget access | |||||||
| Description | See https://docs.google.com/document/d/1UAYQeQTH3hIa6HD_lIjCAReFSDMYHthI9NAkd7Qt0Ww/edit# [^] | |||||||
| Steps To Reproduce | - | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
|||||||||||||||
|
|||||||||||||||
 Relationships |
|
Notes |
|
|
(0148608) hgbot (developer) 2023-04-19 17:24 |
Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/859 [^] |
|
(0148615) hgbot (developer) 2023-04-20 07:29 |
Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/859 [^] |
|
(0148616) hgbot (developer) 2023-04-20 07:29 |
Directly closing issue as related merge request is already approved. Repository: https://gitlab.com/openbravo/product/openbravo [^] Changeset: 60a083134d5ff337513f22b8e7b52b55a9ed656e Author: Augusto Mauch <augusto.mauch@openbravo.com> Date: 20-04-2023 05:28:45 URL: https://gitlab.com/openbravo/product/openbravo/-/commit/60a083134d5ff337513f22b8e7b52b55a9ed656e [^] Fixes ISSUE-52171: Only SYSTEM role should have access to SYSTEM widgets Adds a check to ensure that if the level provided when doing a request to obtain widget information is SYSTEM, the user requesting that information is currently using the SYSTEM role. Note that the frontend was already ensuring this by making the SYSTEM level available only to SYSTEM roles, but because no check was being done in the backend it was possible to create a manual request to take advantage of this vulnerability --- M modules/org.openbravo.client.myob/src/org/openbravo/client/myob/MyOpenbravoActionHandler.java --- |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2023-04-19 17:13 | AugustoMauch | New Issue | |
| 2023-04-19 17:13 | AugustoMauch | Assigned To | => AugustoMauch |
| 2023-04-19 17:13 | AugustoMauch | Modules | => Core |
| 2023-04-19 17:13 | AugustoMauch | Triggers an Emergency Pack | => No |
| 2023-04-19 17:13 | AugustoMauch | Status | new => scheduled |
| 2023-04-19 17:21 | AugustoMauch | Description Updated | View Revisions |
| 2023-04-19 17:24 | hgbot | Note Added: 0148608 | |
| 2023-04-20 07:29 | hgbot | Resolution | open => fixed |
| 2023-04-20 07:29 | hgbot | Status | scheduled => closed |
| 2023-04-20 07:29 | hgbot | Note Added: 0148615 | |
| 2023-04-20 07:29 | hgbot | Fixed in Version | => PR23Q3 |
| 2023-04-20 07:29 | hgbot | Note Added: 0148616 | |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |