Total
6 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-26662 | 2 Debian, Tryton | 3 Debian Linux, Proteus, Trytond | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server. | |||||
CVE-2022-26661 | 2 Debian, Tryton | 3 Debian Linux, Proteus, Trytond | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system. | |||||
CVE-2019-10868 | 2 Debian, Tryton | 2 Debian Linux, Trytond | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values. | |||||
CVE-2015-0861 | 2 Debian, Tryton | 2 Debian Linux, Trytond | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records. | |||||
CVE-2012-2238 | 1 Tryton | 1 Trytond | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
trytond 2.4: ModelView.button fails to validate authorization | |||||
CVE-2012-0215 | 1 Tryton | 1 Trytond | 2024-11-21 | 5.5 MEDIUM | N/A |
model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call. |