Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential HR Personal information leak of salary information through Value column of project task. #29549

Open
crookedAdmin opened this issue Apr 30, 2024 · 0 comments
Open

Potential HR Personal information leak of salary information through Value column of project task. #29549

crookedAdmin opened this issue Apr 30, 2024 · 0 comments
Labels
Bug This is a bug (something does not work as expected)

Comments

@crookedAdmin
Copy link

Bug

Potential HR Personal information leak of salary information through Value column of project task.
/projet/tasks/time.php
I've found that users are not able to enter timesheets without having project permissions; but this also gives them access to view the time spent on tasks, and if you can see the time spent; and value of cost of that work; you can work out someones salary.
I thought that would be worth bringing up though.

Dolibarr Version

19.0.1

Environment PHP

8.1.7-1ubuntu3

Environment Database

MariaDB 10.6.12-MariaDB-0ubuntu0.22.10.1

Steps to reproduce the behavior and expected behavior

Just check any project with billed time enabled.

Attached files

No response
@crookedAdmin crookedAdmin added the Bug This is a bug (something does not work as expected) label Apr 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug This is a bug (something does not work as expected)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@crookedAdmin