=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN388
_____________________________________________________________________

DATE                      : 29/09/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Achievo versions prior to 1.4.5.

======================================================================
http://www.achievo.org/blog/archives/662-Achievo-1.4.5-Security-Bugfix-release.html
______________________________________________________________________
	
Achievo 1.4.5 - Security Bugfix release

Again we received an email from the CYBSEC S.A company that they
discovered 2 vulnerabilities in Achievo 1.4.4 and below. The first
one was an authorization flaw in the Time registration module, that
made it possible to delete/add records of other users. The second
one was a CSRF in ATK how it handles the validation of the actions.
Both problems are fixed in Achievo 1.4.5.

For a full list of resolved issues, you can visit:
http://www.achievo.org/download/releasenotes/1_4_5.

Sandy
Posted by Sandy Pleyte in Release at 20:09 | Comments (0) |

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================