Uploaded image for project: 'ONE'
  1. ONE
  2. ONE-31906

Box Viewer can delete tasks (eg. basic task) due to insufficient security in backend side of application

    XMLWordPrintable

Details

    • No
    • Tree
    • BigPicture, BigGantt
    • JIRA server, JIRA cloud
    • 5
    • 1
    • $i18n.getText("admin.common.words.hide")
      $i18n.getText("admin.common.words.show")
      var cfToHide1 = document.getElementById("rowForcustomfield_18501"); if(cfToHide1){cfToHide1.style.display="none";} var cfToHide2 = document.getElementById("rowForcustomfield_18502"); if(cfToHide2){cfToHide2.style.display="none";} var cfToHide3 = document.getElementById("rowForcustomfield_19700"); if(cfToHide3){cfToHide3.style.display="none";} var cfToHide4 = document.getElementById("rowForcustomfield_18400"); if(cfToHide4){cfToHide4.style.display="none";}
    • 2 hours, 13 minutes, 59 seconds
    • 1 day, 19 hours, 47 seconds
    • 1 week, 45 minutes, 24 seconds
    • 0
    • 1 minute, 20 seconds
    • 2 days, 5 hours, 10 minutes, 45 seconds
    • 2 weeks, 7 hours, 26 minutes, 17 seconds
    • $i18n.getText("admin.common.words.hide")
      $i18n.getText("admin.common.words.show")
      var cfToHide1 = document.getElementById("rowForcustomfield_21302"); if(cfToHide1){cfToHide1.style.display="none";} var cfToHide2 = document.getElementById("rowForcustomfield_19201"); if(cfToHide2){cfToHide2.style.display="none";} var cfToHide3 = document.getElementById("rowForcustomfield_19300"); if(cfToHide3){cfToHide3.style.display="none";} var cfToHide4 = document.getElementById("rowForcustomfield_19301"); if(cfToHide4){cfToHide4.style.display="none";} var cfToHide5 = document.getElementById("rowForcustomfield_19302"); if(cfToHide5){cfToHide5.style.display="none";} var cfToHide6 = document.getElementById("rowForcustomfield_19303"); if(cfToHide6){cfToHide6.style.display="none";} var cfToHide7 = document.getElementById("rowForcustomfield_19204"); if(cfToHide7){cfToHide7.style.display="none";} var cfToHide8 = document.getElementById("rowForcustomfield_19205"); if(cfToHide8){cfToHide8.style.display="none";}

    Description

      Prerequisites:
      N/A

      Reproduction steps:
      Log in as Box Viewer and delete tasks (eg. basic task).

      Actual result:
      User can delete any task by using rest api due to insufficient security in backend side. 

      Expected result:
      User cannot delete basic tasks or other tasks from different extplatforms (eg Jira or Trello) from the application level. 
       
      Workaround:
      N/A

      Attachments

        Activity

          People

            igor.szymanczyk Igor Szymanczyk
            katarzyna.rajchert Katarzyna Rajchert
            jakub.zygmunt Jakub Zygmunt (Inactive) , tomasz.jaskiewicz Tomasz Jaśkiewicz , system.jenkins Jenkins , kamila.kornatko Kamila Kornatko , martyna.turowska Martyna Turowska , marcin.hareza Marcin Hareza , system.gerrit Gerrit , katarzyna.rajchert Katarzyna Rajchert
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: