Skip to content

[SECURITY] Fix unauthorized SOAP access

Helmut Hummel requested to merge sec-soap into develop

By having an inverted condition, attackers could upload arbitrary extensions by only knowing the username and the extension key.

When knowing a username of a TER admin, it was also possible to perform TER admin commands (like deleting extensions) via SOAP

Merge request reports