Tryton Unconference Liège 2017 is coming!

Security Announce for issue5570


Objavljeno: 2016-06-15 12:00:00+00:00   |   Прочесть по-русски   |   Lire en français   |   Read in English   |   Llegeix-ho en català   |   Auf Deutsch lesen   |   Leer en español   |  Več objav o security

Synopsis

A missing access right has been found by Cédric Krier for the Model 'product.product-production.bom'. That allows a malicious authenticated user to write, create or delete records of this type (see issue5570).

Impact

Any authenticated user can modify the links between products and BoM's.

Resolution

All users should create manually a default model access which limits to read only and a second model access limited to the group "Production Administration" with full access.

Affected versions: all versions of production module prior to series 4.0 included.

Non affected version: all versions of production module after series 4.0 non-included.

References

Concern?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.