Centurion ERP has muti-tenancy which is used for data partitioning and for authorization to that data. As such if a user does not have access to an organization they do not have access to the data and/or carry out any action if they are missing the required permission within that organization.
So What
There is no testing of returned data from a user query. Due to this CVE-2024-49373 was essentially allowed to happen.
Actions Required
An immediate review of ALL data returned for ALL available queries must occur. This will need to be done by writing the required tests.
Desired Outcome
No query a user conducts returns any data for any organization they are not apart of and don't have access to view with the exception for view only for global items.
Centurion ERP has muti-tenancy which is used for data partitioning and for authorization to that data. As such if a user does not have access to an organization they do not have access to the data and/or carry out any action if they are missing the required permission within that organization.
So What
There is no testing of returned data from a user query. Due to this CVE-2024-49373 was essentially allowed to happen.
Actions Required
An immediate review of ALL data returned for ALL available queries must occur. This will need to be done by writing the required tests.
Desired Outcome
No query a user conducts returns any data for any organization they are not apart of and don't have access to view with the exception for view only for global items.
Links
https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-5qmx-pr2f-qhj5
358
/cc @jasonpagetas