Vulnerability on Mail Template Window

Description

A vulnerability has been found on Mail Template window.
A user with combined access to Mail Template window and other functionalities that send email or use the template can get indirect information via context variable replacement.

Affected Installs

All Compiere versions since Mail Template exists
All Adempiere versions
All iDempiere versions

Mitigation

Restrict access to Mail Template window
Disallow users to create mail templates
Review the actual mail templates to check for context variables that must not be used
Encrypt sensitive data (please note encrypt is useful just if you change the publicly known security key)
Use Hashed Passwords (iDempiere feature contributed by Adaxa)

Project: iDempiere
Severity: High
Versions: All known versions of Compiere / Adempiere / iDempiere
Exploit type: Getting information through context variables
Reported Date: 2013-July-3
Reported By: Carlos Ruiz

Environment

None

Status

Assignee

Carlos Ruiz

Reporter

Carlos Ruiz

Labels

Tested By

None

Components

Affects versions

Priority

Critical
Configure