Over View:
In the 23.2.0 version we have provide the multiple advance features in this release with application and web portal, where we care about security and enhancement with smooth and smart work flow.
1. Inventory Management:
In Inventory Management there are new feature like Location and Area base, Tax, Prefix service, Part Replace, Percentage base service, Attachment service, all option is mention in details:
a. Setting>>Inventory Management:
In Inventory Management needs to provide the option of:
i. Tax from where the user can add the tax name, and status and submit it.
Figure 1.1: Setting>>Inventory Management>>Tax
ii. Part Replace: In the Assets info service, there will be an option where the user can replace the parts and deduct the part from the inventory management.
Figure 1.2: Setting>>Inventory Management>>Part Replace
iii. Location and Area: In the setting, there is an option from where the user can on the service for the location and Area, where the service will be Do you need the location base inventory? By default, the service will be off once the user is on there will be the option of do you need a mandatory location? By default, the service will be off and once the user is on the service, they need to add the location mandatory.
Area: Do you need the Area base inventory? By default, the service will be off once the user is on there will be the option of Do you need a mandatory Area? By default, the service will be off and once the user is on the service, they need to add the Area mandatory.
Figure 1.3: Setting>>Inventory Management>>Location & Area
iv. Percentage: Do you need service base percentage reminder by default, the service of once the user on their service there will calculation based on reminder percentage.
Figure 1.4: Setting>>Inventory Management>>Percentage
v. Attachment Service: In the attachment service there will be the dynamic option of attachment with Do you need an attachment? Do you need an attachment mandatory? By default, the service will be off once the user is on the services there will be an option to add the attachment, and if the attachment is mandatory the user needs to add the attachment, then only can move further.
Figure 1.5: Setting>>Inventory Management>>Attachment Service
b. Inventory Management>>Group & Item:
In inventory management there will be option of add Item from where user can add the Item and while adding item there will be option of multiple tax like CGT, SGST, TAX this option will be based on setting.
Figure 1.6: Inventory Management>>Group and Item
Once the Item is added it will show in the listing, In the details screen, there will be options to Move to, Edit, and Delete, from where the user can move the Item to Assets Management.
Figure 1.7: Inventory Management>>Details
Once the user clicks on move to button there will “Are you sure want to add this item?” Once the user clicks on yes there will be option of total QTY, Use QTY and available QTY with more option like Item Quantity to select and more to Replace, Repair, Reject, Sale, and Purchase.
Figure 1.8: Inventory Management>>Move to
Figure 1.9: Inventory Management>>Move to
If the user moves to Repair, Reject, and Replace, then in the new tab all the assets will be moved in detail of repair it will show in 3 buttons: Repair, Replace, and deleted.
2. Preventive Maintenance:
a. Preventive Maintenace report image:
Preventive Maintenance report image (Thumbnail) size is small.
b. Attachment limit for Size:
Do you want to show image icon in report? – default false
Do you want to compress image based on quality? – If select true then show slider based on percentage. If select 10% then image quality will be 10%. default 20% show when enable.
Figure 2.1: Setting>>Preventive Maintenance>> Media Setting
3. Budget and Expense:
In budget and expense there is a change for Re-pay options.
a. Budget and Expense>> Location and Assets Base:
There is added budget and there will be option for Re-pay the amount of budget.
Figure 3.1: Budget and Expense>>Details
b. Multiple selections:
Select multiple budgets and you can do multiple actions like Download, Delete.
Figure 3.2: Budget and Expense>>Listing>>Select Operation
4. Complaint Management:
a. Email to internal staff:
Setting>> service management>>Email and SMS service>> Complain Management: Do you want to send email to internal staff when assigned a complaint?
by default, service will be off once user on the service will be able to send the mail based on setting.
Figure 4.1: Setting>> Email & Service
b. Setting>>Role Management:
In the Role management, the complaint section where in the rate card, there is the option of a rate card with price, so once this option is on so user can create and view the report without the rate card price.
Figure 4.2: Setting>>Role Management
5. SCA:
Setting>>Service Management>> Store Assessment:
This module will have 2 options which are SCA and STORE
AUDIT where the user can edit the name of both modules Add STORE AUDIT module, which can be editable user can change the name of the module.
Figure 5.1: Setting>>Service Management>>Store Assessment
Setting>> Role Management>>Store Assessment>> SCA and Store Audit:
Add Role for Store Assessment with SCA and store audit where the information will be as below.
Setting>>Store Assessment>> there will be 2 sub module SCA and store Audit where SCA will be the old one as it is and Store Audit will have below options like:
Figure 5.2: Setting>>Service Management>>Store Assessment
Setting>>Store Assessment>> Store Audit>> Preference:
This service will be the same service as the previous, also few new services will be added which are: In STORE AUDIT need to provide the 4 Tabs, which are Category, Sub-Category, Item and Preference.
Figure 5.3: Setting>>Service Management>>Store Audit>>Preference
Setting>>Store Assessment>> Store Audit>> Preference>> Attachment:
There will be an attachment with advanced options are: Do you need an attachment option to create STORE AUDIT, by default, the service will be off, once the user on the service then that is the user in STORE AUDIT ticket.
Do you need an attachment mandatory? by default, the service will be off, once the user on the service then that is the user in STORE AUDIT ticket.
Attachment Type: Excel, PDF, DOC, CSV, TXT, Image, Video, Audio, Camera.
Attachment: 1 to 15 drop down option.
Validation Type: All or Any one.
If the user selects the camera option, then the user can’t add the attachment from the gallery.
Figure 5.4: Setting>>Service Management>>Store Audit>>Preference>>Attachment
Setting>>Store Assessment>> Store Audit>> Preference>> TAT:
Here user can add Turnaround time based on modules.
TAT will be dynamic where the user can add the TAT type which is: Hourly, Daily, Weekly, Month, Quarterly, Half-year, yearly.
Also, TAT is where users can have the option to add the value same as Assets TAT.
Figure 5.5: Setting>>Service Management>>Store Audit>>Preference>>TAT
Setting>>Store Assessment>> Store Audit>> Preference>> Weightage:
There will be options for Weightage which are: Based on which module Do you need Weightage? By default, it will be Sub-category?
The second option will be for the Weightage method: which do you need to add weightage in percentage? By default, the service will be off, once the user on the calculation will be based on Percentage. Else you can select another option Do you need to add weightage in numeric? By default, the service will be off, once the user on the calculation will be based on Numeric.
Please Note: The user can only select the method at a time.
Figure 5.6: Setting>>Service Management>>Store Audit>>Preference>>Weightage
Setting>>Store Assessment>> Store Audit>> Preference>>Priority:
There will be a priority for the STORE AUDIT task from where the user can add the priority which will dynamic. Do you need priority for STORE AUDIT Task? By default, their service will be off, once the user on the service there will be a new tab of priority which will have option where the user can add a maximum 3 s as a priority which will default. Critical, Major and Minor, the user can change the name.
Figure 5.7: Setting>>Service Management>>Store Audit>>Preference>>Priority
Store Audit>>
In Store Audit there is the option of add audit there is the option of adding the audit with Location, Area, Title, Description, Item, Assignee to option and Expand form.
Figure 5.8: Store Assessment>>Store Audit>>Audit
6. Analytics:
In Analytics there is the option of dashboard filter for the group option, for filter the data based on selected group:
Figure 6.1: Analytics>>Complaint Management
7. Frontend Security:
a. Vulnerabilities issues to be fixed on Customer Web Application – Improper Input Validation:
Enclosed the 4th Quarter Internal VAPT report Terotam of Customer Web application of Staging environment.
Weakness Improper Input Validation
Vulnerable URL https://master-staging.terotam.com/profile
Description: Improper input validation or unchecked user input is a type of vulnerability in computer software that may be used for security exploits. This vulnerability is caused when “[t]he product does not validate or incorrectly validates input that can affect the control flow or data flow of a program. Impact an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution
Severity Medium
Suggested Mitigation/Remediation Actions
Apply context-dependent encoding and/or validation to user input rendered on a page
b. Vulnerabilities issues to be fixed on Vendor Web Application – Improper Input Validation
Enclosed the 4th Quarter Internal VAPT report Vendor Web application of Staging environment.
Weakness: Improper Input Validation
Vulnerable URL: https://vendor.terotam.com/user/profile
Description : Improper input validation or unchecked user input is a type of vulnerability in computer software that may be used for security exploits. This vulnerability is caused when “[t]he product does not validate or incorrectly validates input that can affect the control flow or data flow of a program. Impact
an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution
Severity Medium: Suggested Mitigation/Remediation Actions
Apply context-dependent encoding and/or validation to user input rendered on a page
c. Vulnerabilities issues to be fixed on Master Web Application – Using Component with known Vulnerability – moment.js
Enclosed the 4th Quarter Internal VAPT report Terotam of Master Web application of Staging environment.
Weakness: Using Component with known Vulnerability – moment.js
Vulnerable URL: https://master-staging.terotam.com/static/js/7.3dc5c976
Description & Impact: One or more vulnerabilities were reported for this version of the library. Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were reported.
Severity Medium Suggested Mitigation/Remediation Actions Upgrade to the latest version.
8. Android Security:
a. Vulnerabilities issues to be fixed on Terotam Android Vendor & Customer Application – Information Disclosure – IP Address Disclosure
Enclosed the 4th Quarter Internal VAPT report Terotam of Android Vendor & Customer application of Staging environment.
Weakness: Information Disclosure – IP Address Disclosure
Vulnerable APK: terotam_vendor_v201_(2022-Dec-26_06_52_PM).apk terotam_customer_v201_(2022-Dec-26_06_43_PM).apk
Description & Impact: IP addresses that are reserved for use in private networks and cannot be routed on the public Internet. Although various methods exist by which an attacker can determine the public IP addresses in use by an organization, the private addresses used internally cannot usually be determined in the same ways.
Discovering the private addresses used within an organization can help an attacker in carrying out network-layer attacks aiming to penetrate the organization’s internal infrastructure.
Severity: Medium
Suggested Mitigation/Remediation Actions
IP addresses used within an organization’s infrastructure. If these are being returned in service banners or debug messages, then the relevant services should be configured to mask the private addresses. If they are being used to track back-end servers for load balancing purposes, then the addresses should be rewritten with innocuous identifiers from which an attacker cannot infer any useful information about the infrastructure.
b. Vulnerabilities issues to be fixed on Terotam Android Vendor & Customer Application – Insufficient Cryptography
Enclosed the 4th Quarter Internal VAPT report Terotam of Android Vendor & Customer application of Staging environment.
Weakness Insufficient Cryptography
Vulnerable APK: terotam_vendor_v201_(2022-Dec-26_06_52_PM).apk
terotam_customer_v201_(2022-Dec-26_06_43_PM).apk
Description & Impact: Insufficient Cryptography or insecure usage of cryptography is a common vulnerability in mobile apps that leverage encryption. Due to weak encryption algorithms or flaws within the encryption process, the potential hacker is able to return the encrypted code or sensitive data to its original unencrypted form
Severity High: Suggested Mitigation/Remediation Actions
It is recommended to implement java.security.SecureRandom.
https://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html
c. Vulnerabilities issues to be fixed on Terotam Android Vendor & Customer Application – SSL Weak Cipher Suites Supported
Enclosed the 4th Quarter Internal VAPT report Terotam of Android Vendor & Customer application of Staging environment.
Weakness: SSL Weak Cipher Suites Supported
Vulnerable APK: terotam_vendor_v201_(2022-Dec-26_06_52_PM).apk
terotam_customer_v201_(2022-Dec-26_06_43_PM).apk
Description & Impact: The web server supports encryption through TLS 1.0, which was formally deprecated in March 2021 as a result of inherent security issues. In addition, TLS 1.0 is not considered to be “strong cryptography” as defined and required by the PCI Data Security Standard 3.2(.1) when used to protect sensitive information transferred to or from web sites. According to PCI, “30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.
Impact: An attacker may be able to exploit this problem to conduct man- in-the-middle attacks and decrypt communications between the affected service and clients.
Severity High: Suggested Mitigation/Remediation Actions
It is recommended to disable TLS 1.0 and replace it with TLS 1.2 or higher.
9. Automation:
In Automation we have cover the module of Escalation Management, Work permit with all detail module of TeroTAM customer portal with both module
10. Android Improvement:
a. Comment for all modules:
My FMS->Comment module -> Validation is missing for blank.
b. Mute icon:
Customer and Vendor >> Setting – Icon is mismatch as per the functionality worked.
c. API:
All heavy API calls need to put under background preparation.
11. Backend Improvement:
a. Preventive Maintenance Filter:
Preventive Maintenance filter add option of frequency
b. Email changes:
Remove Kind regards
Terotam Team words remove, Enter one line in between sentence completion
c. Complaint Report:
i. Form List
ii. Complain
iii. Preference Form – Done
iv. Report Form – Done
v. Relation Form – Done
vi. PM
vii. Checklist Form – Done
viii. Report Form (Work Flow)
ix. Invoice
x. Complain Invoice
xi. Pm Invoice
xii. Location
xiii. Add Location Dynamic Field
xiv. Staff Management
xv. Add Location Dynamic Field
xvi. Enquiry Management
xvii. Add Location Dynamic Field
xviii. DMS
xix. Preference
xx. DMS Report
xxi. Budget & Expense
xxii. Budget Preference
xxiii. Expense Preference
xxiv. Work Permit
xxv. Preference
xxvi. Project Management
xxvii. Checklist
xxviii. HRMS
xxix. Leave Form
xxx. Request Form
