Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Trivial
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.6.23, 4.7.13
-
Component/s: None
-
Security Level: Security - Published
-
Labels:None
-
Versioning Impact:Patch (backwards-compatible bug fixes)
-
Documentation Required?:None
-
Funding Source:Contributed Code
-
Verified?:No
Description
How to reproduce:
- create a custom group for Activities, with title: L'activité
- add a field in that group
- in a Case, add an activity, enter a value in that custom field (shouldn't be necessary, but that's what I tested)
- in the Case list of Activities (at the bottom of the screen), click on the "view" link for that activity (it opens a popup to view the activity).
The popup will cause a network error, because of an SQL error.
This is a potential security issue, but the attacker needs full admin permissions to manage custom fields (it could affect a SaaS provider, for example).