We use cookies to try and give you a better experience in Freshdesk.
You can learn more about what kind of cookies we use, why, and how from our Privacy policy. If you hate cookies, or are just on a diet, you can disable them altogether too. Just note that the Freshdesk service is pretty big on some cookies (we love the choco-chip ones), and some portions of Freshdesk may not work properly if you disable cookies.
We’ll also assume you agree to the way we use cookies and are ok with it as described in our Privacy policy, unless you choose to disable them altogether through your browser.
We are proposing an update to the privilege control system to introduce a new or extended privilege for the “Add Master Profile” functionality. This update is necessary to address several critical security risks, including:
Unauthorized changes to guest data
Potential for fraudulent billing manipulation
Missing or inaccurate audit trails
Current Issues Observed:
Users are able to modify the master guest profile even if they don’t have the “Change Guest Profile” privilege assigned, leading to unauthorized updates.
When selecting Add Master Profile during booking, users can input new details, and the Save button becomes enabled, even without the necessary privilege.
Clicking Save does not create a new profile; instead, it overwrites the existing master guest profile.
The audit trail incorrectly logs the action as Add Guest Profile as a New Guest Added, without showing the details of the old or new guest.
0 Votes
0 Comments
Login to post a comment