Error page in Clarity classic sub-sub-object list reveals project name for enumerable internal project id
It reveal project Information to projects that a user has no rights to see, exploitable with sub-object create rights

Steps To Reproduce:

1. create sub object A with project as parent
2. create sub sub object A.A with A as parent
3. create a number field C on A.A
4. create a project instance P
5. create sub object instance A1 for A
6. Create a new user 
7. add Project view instance Right to Project P, Project navigate, Create and View Rights for A, Create Rights for A.A
8. Login to Clarity classic with the new user
9. Go to Project P » Sub object A1 » A.A Sub Sub object list
10. Create sub sub object instance A.A2 for A1
11. Return to Sub Sub object list (A.A) in A1 (A)
12. Configure list to include number field C
13. Edit field C and enter a number and save
14. Below Project - Properties, there is a title field like "Project: P | A: A1 - A.A List - Properties"
15. Edit field C again and enter a non numerical value (for example "34$") and save.
16. There is an error message that says "Incorrect number Format" and the C field is marked with a yellow triangle.

Expected:  
The title (step 14) should remain the same

Actual: 
The title changes to "Project: {empty in almost all cases or project name of project with the id of the sub object A which is contained in the URL as odf_parent_id} | A: - A.A List - Properties"
If you create enough sub-object instances (enumerating all 5xxxxxx numbers), you can exploit this and extract all project names.

Clarity 16.2.1, 16.2.2, 16.2.3, 16.3.0

DE165484

Currently under review