Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0052172 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| backport | [Openbravo ERP] A. Platform | major | have not tried | 2023-04-19 17:13 | 2023-05-02 15:41 | |||
| Reporter | AugustoMauch | View Status | public | |||||
| Assigned To | AugustoMauch | |||||||
| Priority | normal | Resolution | fixed | Fixed in Version | PR23Q2 | |||
| Status | closed | Fix in branch | Fixed in SCM revision | |||||
| Projection | none | ETA | none | Target Version | PR23Q2 | |||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | SCM revision | |||||||
| Review Assigned To | ||||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0052172: Review widget access | |||||||
| Description | - | |||||||
| Steps To Reproduce | - | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
||||||||
|
||||||||
 Relationships |
|
Notes |
|
|
(0149140) hgbot (developer) 2023-05-02 15:39 |
Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/871 [^] |
|
(0149141) hgbot (developer) 2023-05-02 15:41 |
Directly closing issue as related merge request is already approved. Repository: https://gitlab.com/openbravo/product/openbravo [^] Changeset: 8f7a420b9e80866a0dc9e04bf612ad73e4faf78e Author: Augusto Mauch <augusto.mauch@openbravo.com> Date: 02-05-2023 15:39:19 URL: https://gitlab.com/openbravo/product/openbravo/-/commit/8f7a420b9e80866a0dc9e04bf612ad73e4faf78e [^] Fixes ISSUE-52172: Only SYSTEM role should have access to SYSTEM widgets Adds a check to ensure that if the level provided when doing a request to obtain widget information is SYSTEM, the user requesting that information is currently using the SYSTEM role. Note that the frontend was already ensuring this by making the SYSTEM level available only to SYSTEM roles, but because no check was being done in the backend it was possible to create a manual request to take advantage of this vulnerability --- M modules/org.openbravo.client.myob/src/org/openbravo/client/myob/MyOpenbravoActionHandler.java --- |
|
(0149142) hgbot (developer) 2023-05-02 15:41 |
Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/871 [^] |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2023-04-19 17:13 | AugustoMauch | Type | defect => backport |
| 2023-04-19 17:13 | AugustoMauch | Target Version | => PR23Q2 |
| 2023-05-02 15:39 | hgbot | Note Added: 0149140 | |
| 2023-05-02 15:41 | hgbot | Resolution | open => fixed |
| 2023-05-02 15:41 | hgbot | Status | scheduled => closed |
| 2023-05-02 15:41 | hgbot | Fixed in Version | => PR23Q2 |
| 2023-05-02 15:41 | hgbot | Note Added: 0149141 | |
| 2023-05-02 15:41 | hgbot | Note Added: 0149142 | |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |