|
Description
|
|
Multiple vulnerabilities have been identified in ADempiere, which could be exploited by malicious users to inject arbitrary SQL queries or bypass security restrictions.
The first issue is caused by input validation errors in the "insert()" [grid/ed/ValuePreference.java] function that does not validate the "m_Attribute" and "m_Value" values before being used in SQL statements, which could be exploited by malicious users to conduct SQL injection attacks.
The second vulnerability is caused by a design error in the "canUpdate()" [model/MRole.java] function that does not properly validate user roles, which could be exploited by malicious users with read-only privileges to gain access with read/write privileges.
|
