Any type of investment, projects or other non-project investment objects (NPIOs) have a potential to expose sensitive data if the end-user tampers with the URL, exposing the Team Staff and Team Detail pages on the investment.
Steps to Reproduce:
- Log in to the application as a user having admin rights (any user having most of the project related rights)
- Navigate to any project and then the team staff page and team detail page
- Please note down the application URL for the staff and detail page
- The URLs would be something like the mentioned below :
http://< server >/niku/nu#action:projmgr.teamList&id=< project_id >&view_code=projectTeamStaff
http://< server >/niku/nu#action:projmgr.teamList&id=< project_id >&view_code=projectTeamDetail
- Create a new user with bare minimum rights
- Now login using the new user
- Hit the URLs copied earlier
Expected Result: User should not have access to these pages and Usual error text: "Error 401 - Unauthorized. You are not authorized to view the page. If you are sure you have access, try logging in again or contact your system administrator should be displayed
Actual Result: An Alert is displayed but all the details related to staffing also displayed.
Resolved in Clarity 13.2 Generic Patch. Reference TEC599354
Resolved in Clarity 13.3 Generic Patch. Reference TEC605767
Resolved in CA PPM 14.1