Security Announce for issue5570


Publicat: 2016-06-15 12:00:00+00:00   |   Прочесть по-русски   |   Lire en français   |   Read in English   |   Auf Deutsch lesen   |   Beri v slovenščini   |   Leer en español   |  Més entrades sobre security

Synopsis

A missing access right has been found by Cédric Krier for the Model 'product.product-production.bom'. That allows a malicious authenticated user to write, create or delete records of this type (see issue5570).

Impact

Any authenticated user can modify the links between products and BoM's.

Resolution

All users should create manually a default model access which limits to read only and a second model access limited to the group "Production Administration" with full access.

Affected versions: all versions of production module prior to series 4.0 included.

Non affected version: all versions of production module after series 4.0 non-included.

References

Concern?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.