You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Potential HR Personal information leak of salary information through Value column of project task.
/projet/tasks/time.php
I've found that users are not able to enter timesheets without having project permissions; but this also gives them access to view the time spent on tasks, and if you can see the time spent; and value of cost of that work; you can work out someones salary.
I thought that would be worth bringing up though.
Dolibarr Version
19.0.1
Environment PHP
8.1.7-1ubuntu3
Environment Database
MariaDB 10.6.12-MariaDB-0ubuntu0.22.10.1
Steps to reproduce the behavior and expected behavior
Just check any project with billed time enabled.
Attached files
No response
The text was updated successfully, but these errors were encountered:
Bug
Potential HR Personal information leak of salary information through Value column of project task.
/projet/tasks/time.php
I've found that users are not able to enter timesheets without having project permissions; but this also gives them access to view the time spent on tasks, and if you can see the time spent; and value of cost of that work; you can work out someones salary.
I thought that would be worth bringing up though.
Dolibarr Version
19.0.1
Environment PHP
8.1.7-1ubuntu3
Environment Database
MariaDB 10.6.12-MariaDB-0ubuntu0.22.10.1
Steps to reproduce the behavior and expected behavior
Just check any project with billed time enabled.
Attached files
No response
The text was updated successfully, but these errors were encountered: