search

intuitem / ciso-assistant-community

CISO Assistant is a one-stop-shop for GRC, covering Risk, AppSec and Audit Management and supporting +43 frameworks worldwide: NIST CSF, ISO 27001, SOC2, CIS, PCI DSS, NIS2, CMMC, PSPF, GDPR, HIPAA, Essential Eight, NYDFS-500, DORA, NIST AI RMF, 800-53, 800-171, CyFun, CJIS, AirCyber and so much more
https://intuitem.com
GNU Affero General Public License v3.0
427 stars 67 forks source link

Informations Disclosure on Main Dashboard ? #421

Closed EvoXCX closed 2 weeks ago

EvoXCX commented 2 weeks ago

Describe the bug Example Context: I created a domain with name Domain1 and one user in this group as Domain Administrator.

I created a new domain with name Domain2 and one user in this group as Domain Administrator.

Then I created an Audit on theses 2 domains.

And when I connect with one of theses account I see on Analytics Dashboard certain informations that is not in actual domain.

Expected behavior Admin from Domain2 can only see his assignment and same for the Admin from Domain1

Screenshots Admin1 in group Domain1 with all audit and risk assessment image image image

Admin2 in group Domain2 with only 1 audit created image image image

Environment (please complete the following information):

Maybe it's normal that Dashboard use data from all domains, but it will be fine if we can separe into more little team that do not need to see certain parts.

Mohamed-Hacene commented 2 weeks ago

Hi @EvoXCX,

Thanks for this issue, we've noticed this too and are in the process of correcting it. I'll link the pull request to your issue when I push it so that you can follow its progress and test it for your specific application.

ab-smith commented 2 weeks ago

it's indeed not an information disclosure, but it can be confusing and overwhelming. we'll get it fixed. thank you