A vulnerability has been found on Mail Template window.
A user with combined access to Mail Template window and other functionalities that send email or use the template can get indirect information via context variable replacement.
All Compiere versions since Mail Template exists
All Adempiere versions
All iDempiere versions
Restrict access to Mail Template window
Disallow users to create mail templates
Review the actual mail templates to check for context variables that must not be used
Encrypt sensitive data (please note encrypt is useful just if you change the publicly known security key)
Use Hashed Passwords (iDempiere feature contributed by Adaxa)
Versions: All known versions of Compiere / Adempiere / iDempiere
Exploit type: Getting information through context variables
Reported Date: 2013-July-3
Reported By: Carlos Ruiz