Vulnerabilities (CVE)

Filtered by vendor Tryton Subscribe
Filtered by product Trytond
Total 6 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-26662 2 Debian, Tryton 3 Debian Linux, Proteus, Trytond 2024-11-21 5.0 MEDIUM 7.5 HIGH
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.
CVE-2022-26661 2 Debian, Tryton 3 Debian Linux, Proteus, Trytond 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.
CVE-2019-10868 2 Debian, Tryton 2 Debian Linux, Trytond 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.
CVE-2015-0861 2 Debian, Tryton 2 Debian Linux, Trytond 2024-11-21 4.0 MEDIUM 4.3 MEDIUM
model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records.
CVE-2012-2238 1 Tryton 1 Trytond 2024-11-21 5.0 MEDIUM 7.5 HIGH
trytond 2.4: ModelView.button fails to validate authorization
CVE-2012-0215 1 Tryton 1 Trytond 2024-11-21 5.5 MEDIUM N/A
model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call.