Synopsis
A missing access right has been found by Cédric Krier for the Model 'product.product-production.bom'. That allows a malicious authenticated user to write, create or delete records of this type (see issue5570).
Impact
Any authenticated user can modify the links between products and BoM's.
Resolution
All users should create manually a default model access which limits to read only and a second model access limited to the group "Production Administration" with full access.
Affected versions: all versions of production module prior to series 4.0 included.
Non affected version: all versions of production module after series 4.0 non-included.
References
- issue5570 https://bugs.tryton.org/issue5570
Concern?
Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.