Search criteria
18 vulnerabilities found for trytond by tryton
CVE-2025-66424 (GCVE-0-2025-66424)
Vulnerability from nvd – Published: 2025-11-30 00:00 – Updated: 2025-12-01 14:10
VLAI?
Summary
Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
Severity ?
6.5 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66424",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T13:33:40.959203Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T14:10:29.733Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:pypi/trytond",
"product": "trytond",
"vendor": "Tryton",
"versions": [
{
"lessThan": "6.0.70",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "7.0.40",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
},
{
"lessThan": "7.4.21",
"status": "affected",
"version": "7.1.0",
"versionType": "semver"
},
{
"lessThan": "7.6.11",
"status": "affected",
"version": "7.5.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.70",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.40",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.4.21",
"versionStartIncluding": "7.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.6.11",
"versionStartIncluding": "7.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-30T02:39:34.291Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://discuss.tryton.org/t/security-release-for-issue-14366/8953"
},
{
"url": "https://foss.heptapod.net/tryton/tryton/-/issues/14366"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-66424",
"datePublished": "2025-11-30T00:00:00.000Z",
"dateReserved": "2025-11-30T00:00:00.000Z",
"dateUpdated": "2025-12-01T14:10:29.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66423 (GCVE-0-2025-66423)
Vulnerability from nvd – Published: 2025-11-30 00:00 – Updated: 2025-12-01 14:10
VLAI?
Summary
Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
Severity ?
7.1 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66423",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T13:33:32.031278Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T14:10:34.912Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:pypi/trytond",
"product": "trytond",
"vendor": "Tryton",
"versions": [
{
"lessThan": "6.0.70",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "7.0.40",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
},
{
"lessThan": "7.4.21",
"status": "affected",
"version": "7.1.0",
"versionType": "semver"
},
{
"lessThan": "7.6.11",
"status": "affected",
"version": "7.5.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.70",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.40",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.4.21",
"versionStartIncluding": "7.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.6.11",
"versionStartIncluding": "7.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-30T02:37:20.290Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://discuss.tryton.org/t/security-release-for-issue-14364/8952"
},
{
"url": "https://foss.heptapod.net/tryton/tryton/-/issues/14364"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-66423",
"datePublished": "2025-11-30T00:00:00.000Z",
"dateReserved": "2025-11-30T00:00:00.000Z",
"dateUpdated": "2025-12-01T14:10:34.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66422 (GCVE-0-2025-66422)
Vulnerability from nvd – Published: 2025-11-30 00:00 – Updated: 2025-12-01 14:10
VLAI?
Summary
Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
Severity ?
4.3 (Medium)
CWE
- CWE-402 - Transmission of Private Resources into a New Sphere ('Resource Leak')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T13:33:24.165266Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T14:10:40.069Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:pypi/trytond",
"product": "trytond",
"vendor": "Tryton",
"versions": [
{
"lessThan": "6.0.70",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.0.40",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
},
{
"lessThan": "7.4.21",
"status": "affected",
"version": "7.1.0",
"versionType": "semver"
},
{
"lessThan": "7.6.11",
"status": "affected",
"version": "7.5.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.40",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.4.21",
"versionStartIncluding": "7.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.6.11",
"versionStartIncluding": "7.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-402",
"description": "CWE-402 Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-30T02:34:37.916Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://discuss.tryton.org/t/security-release-for-issue-14354/8950"
},
{
"url": "https://foss.heptapod.net/tryton/tryton/-/issues/14354"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-66422",
"datePublished": "2025-11-30T00:00:00.000Z",
"dateReserved": "2025-11-30T00:00:00.000Z",
"dateUpdated": "2025-12-01T14:10:40.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-26662 (GCVE-0-2022-26662)
Vulnerability from nvd – Published: 2022-03-07 22:40 – Updated: 2024-08-03 05:11
VLAI?
Summary
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:11:44.228Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.tryton.org/issue11244"
},
{
"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2945-1] tryton-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
},
{
"name": "[debian-lts-announce] 20220311 [SECURITY] [DLA 2946-1] tryton-proteus security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
},
{
"name": "DSA-5098",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5098"
},
{
"name": "DSA-5099",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5099"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-11T14:06:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.tryton.org/issue11244"
},
{
"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2945-1] tryton-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
},
{
"name": "[debian-lts-announce] 20220311 [SECURITY] [DLA 2946-1] tryton-proteus security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
},
{
"name": "DSA-5098",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5098"
},
{
"name": "DSA-5099",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5099"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-26662",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059",
"refsource": "MISC",
"url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"
},
{
"name": "https://bugs.tryton.org/issue11244",
"refsource": "MISC",
"url": "https://bugs.tryton.org/issue11244"
},
{
"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2945-1] tryton-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
},
{
"name": "[debian-lts-announce] 20220311 [SECURITY] [DLA 2946-1] tryton-proteus security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
},
{
"name": "DSA-5098",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5098"
},
{
"name": "DSA-5099",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5099"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-26662",
"datePublished": "2022-03-07T22:40:00",
"dateReserved": "2022-03-07T00:00:00",
"dateUpdated": "2024-08-03T05:11:44.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26661 (GCVE-0-2022-26661)
Vulnerability from nvd – Published: 2022-03-07 22:40 – Updated: 2024-08-03 05:11
VLAI?
Summary
An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:11:44.600Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.tryton.org/issue11219"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"
},
{
"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2945-1] tryton-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
},
{
"name": "[debian-lts-announce] 20220311 [SECURITY] [DLA 2946-1] tryton-proteus security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
},
{
"name": "DSA-5098",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5098"
},
{
"name": "DSA-5099",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5099"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-11T14:06:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.tryton.org/issue11219"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"
},
{
"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2945-1] tryton-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
},
{
"name": "[debian-lts-announce] 20220311 [SECURITY] [DLA 2946-1] tryton-proteus security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
},
{
"name": "DSA-5098",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5098"
},
{
"name": "DSA-5099",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5099"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-26661",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.tryton.org/issue11219",
"refsource": "MISC",
"url": "https://bugs.tryton.org/issue11219"
},
{
"name": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059",
"refsource": "MISC",
"url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"
},
{
"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2945-1] tryton-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
},
{
"name": "[debian-lts-announce] 20220311 [SECURITY] [DLA 2946-1] tryton-proteus security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
},
{
"name": "DSA-5098",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5098"
},
{
"name": "DSA-5099",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5099"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-26661",
"datePublished": "2022-03-07T22:40:11",
"dateReserved": "2022-03-07T00:00:00",
"dateUpdated": "2024-08-03T05:11:44.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-2238 (GCVE-0-2012-2238)
Vulnerability from nvd – Published: 2019-11-21 13:47 – Updated: 2024-08-06 19:26
VLAI?
Summary
trytond 2.4: ModelView.button fails to validate authorization
Severity ?
No CVSS data available.
CWE
- UNKNOWN_TYPE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:26:08.989Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2238"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78435"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/11/10"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/55503"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://hg.tryton.org/2.4/trytond/rev/279f0031b461"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "trytond",
"vendor": "tryton",
"versions": [
{
"status": "affected",
"version": "\u2264 2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "trytond 2.4: ModelView.button fails to validate authorization"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "UNKNOWN_TYPE",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-21T13:47:31",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2238"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78435"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/11/10"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/55503"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://hg.tryton.org/2.4/trytond/rev/279f0031b461"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2012-2238",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "trytond",
"version": {
"version_data": [
{
"version_value": "\u2264 2.4"
}
]
}
}
]
},
"vendor_name": "tryton"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "trytond 2.4: ModelView.button fails to validate authorization"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "UNKNOWN_TYPE"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2012-2238",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2238"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78435",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78435"
},
{
"name": "http://www.openwall.com/lists/oss-security/2012/09/11/10",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2012/09/11/10"
},
{
"name": "http://www.securityfocus.com/bid/55503",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/55503"
},
{
"name": "http://hg.tryton.org/2.4/trytond/rev/279f0031b461",
"refsource": "MISC",
"url": "http://hg.tryton.org/2.4/trytond/rev/279f0031b461"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2012-2238",
"datePublished": "2019-11-21T13:47:31",
"dateReserved": "2012-04-16T00:00:00",
"dateUpdated": "2024-08-06T19:26:08.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10868 (GCVE-0-2019-10868)
Vulnerability from nvd – Published: 2019-04-05 00:25 – Updated: 2024-08-04 22:32
VLAI?
Summary
In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.
Severity ?
4.3 (Medium)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:32:02.074Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://discuss.tryton.org/t/security-release-for-issue8189/1262"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hg.tryton.org/trytond/rev/f58bbfe0aefb"
},
{
"name": "DSA-4426",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2019/dsa-4426"
},
{
"name": "20190407 [SECURITY] [DSA 4426-1] tryton-server security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/Apr/14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:N/PR:L/S:U/UI:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-08T08:06:06",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://discuss.tryton.org/t/security-release-for-issue8189/1262"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hg.tryton.org/trytond/rev/f58bbfe0aefb"
},
{
"name": "DSA-4426",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2019/dsa-4426"
},
{
"name": "20190407 [SECURITY] [DSA 4426-1] tryton-server security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2019/Apr/14"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-10868",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:N/PR:L/S:U/UI:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://discuss.tryton.org/t/security-release-for-issue8189/1262",
"refsource": "MISC",
"url": "https://discuss.tryton.org/t/security-release-for-issue8189/1262"
},
{
"name": "https://hg.tryton.org/trytond/rev/f58bbfe0aefb",
"refsource": "MISC",
"url": "https://hg.tryton.org/trytond/rev/f58bbfe0aefb"
},
{
"name": "DSA-4426",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2019/dsa-4426"
},
{
"name": "20190407 [SECURITY] [DSA 4426-1] tryton-server security update",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/Apr/14"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-10868",
"datePublished": "2019-04-05T00:25:41",
"dateReserved": "2019-04-04T00:00:00",
"dateUpdated": "2024-08-04T22:32:02.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-0861 (GCVE-0-2015-0861)
Vulnerability from nvd – Published: 2016-04-13 15:00 – Updated: 2024-08-06 04:26
VLAI?
Summary
model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:26:10.389Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.tryton.org/posts/security-release-for-issue5167.html"
},
{
"name": "DSA-3425",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3425"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.tryton.org/issue5167"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-12-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-04-13T14:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.tryton.org/posts/security-release-for-issue5167.html"
},
{
"name": "DSA-3425",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3425"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.tryton.org/issue5167"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2015-0861",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.tryton.org/posts/security-release-for-issue5167.html",
"refsource": "CONFIRM",
"url": "http://www.tryton.org/posts/security-release-for-issue5167.html"
},
{
"name": "DSA-3425",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3425"
},
{
"name": "https://bugs.tryton.org/issue5167",
"refsource": "CONFIRM",
"url": "https://bugs.tryton.org/issue5167"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2015-0861",
"datePublished": "2016-04-13T15:00:00",
"dateReserved": "2015-01-07T00:00:00",
"dateUpdated": "2024-08-06T04:26:10.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-0215 (GCVE-0-2012-0215)
Vulnerability from nvd – Published: 2012-07-12 20:00 – Updated: 2024-09-16 16:53
VLAI?
Summary
model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:16:19.981Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-2444",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2012/dsa-2444"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.tryton.org/issue2476"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://hg.tryton.org/trytond/rev/8e64d52ecea4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://news.tryton.org/2012/03/security-releases-for-all-supported.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-07-12T20:00:00Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "DSA-2444",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2012/dsa-2444"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.tryton.org/issue2476"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://hg.tryton.org/trytond/rev/8e64d52ecea4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://news.tryton.org/2012/03/security-releases-for-all-supported.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2012-0215",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-2444",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2012/dsa-2444"
},
{
"name": "https://bugs.tryton.org/issue2476",
"refsource": "CONFIRM",
"url": "https://bugs.tryton.org/issue2476"
},
{
"name": "http://hg.tryton.org/trytond/rev/8e64d52ecea4",
"refsource": "CONFIRM",
"url": "http://hg.tryton.org/trytond/rev/8e64d52ecea4"
},
{
"name": "http://news.tryton.org/2012/03/security-releases-for-all-supported.html",
"refsource": "CONFIRM",
"url": "http://news.tryton.org/2012/03/security-releases-for-all-supported.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2012-0215",
"datePublished": "2012-07-12T20:00:00Z",
"dateReserved": "2011-12-14T00:00:00Z",
"dateUpdated": "2024-09-16T16:53:53.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-66422 (GCVE-0-2025-66422)
Vulnerability from cvelistv5 – Published: 2025-11-30 00:00 – Updated: 2025-12-01 14:10
VLAI?
Summary
Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
Severity ?
4.3 (Medium)
CWE
- CWE-402 - Transmission of Private Resources into a New Sphere ('Resource Leak')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T13:33:24.165266Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T14:10:40.069Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:pypi/trytond",
"product": "trytond",
"vendor": "Tryton",
"versions": [
{
"lessThan": "6.0.70",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.0.40",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
},
{
"lessThan": "7.4.21",
"status": "affected",
"version": "7.1.0",
"versionType": "semver"
},
{
"lessThan": "7.6.11",
"status": "affected",
"version": "7.5.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.40",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.4.21",
"versionStartIncluding": "7.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.6.11",
"versionStartIncluding": "7.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-402",
"description": "CWE-402 Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-30T02:34:37.916Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://discuss.tryton.org/t/security-release-for-issue-14354/8950"
},
{
"url": "https://foss.heptapod.net/tryton/tryton/-/issues/14354"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-66422",
"datePublished": "2025-11-30T00:00:00.000Z",
"dateReserved": "2025-11-30T00:00:00.000Z",
"dateUpdated": "2025-12-01T14:10:40.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66423 (GCVE-0-2025-66423)
Vulnerability from cvelistv5 – Published: 2025-11-30 00:00 – Updated: 2025-12-01 14:10
VLAI?
Summary
Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
Severity ?
7.1 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66423",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T13:33:32.031278Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T14:10:34.912Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:pypi/trytond",
"product": "trytond",
"vendor": "Tryton",
"versions": [
{
"lessThan": "6.0.70",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "7.0.40",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
},
{
"lessThan": "7.4.21",
"status": "affected",
"version": "7.1.0",
"versionType": "semver"
},
{
"lessThan": "7.6.11",
"status": "affected",
"version": "7.5.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.70",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.40",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.4.21",
"versionStartIncluding": "7.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.6.11",
"versionStartIncluding": "7.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-30T02:37:20.290Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://discuss.tryton.org/t/security-release-for-issue-14364/8952"
},
{
"url": "https://foss.heptapod.net/tryton/tryton/-/issues/14364"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-66423",
"datePublished": "2025-11-30T00:00:00.000Z",
"dateReserved": "2025-11-30T00:00:00.000Z",
"dateUpdated": "2025-12-01T14:10:34.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66424 (GCVE-0-2025-66424)
Vulnerability from cvelistv5 – Published: 2025-11-30 00:00 – Updated: 2025-12-01 14:10
VLAI?
Summary
Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
Severity ?
6.5 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66424",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T13:33:40.959203Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T14:10:29.733Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:pypi/trytond",
"product": "trytond",
"vendor": "Tryton",
"versions": [
{
"lessThan": "6.0.70",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "7.0.40",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
},
{
"lessThan": "7.4.21",
"status": "affected",
"version": "7.1.0",
"versionType": "semver"
},
{
"lessThan": "7.6.11",
"status": "affected",
"version": "7.5.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.70",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.40",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.4.21",
"versionStartIncluding": "7.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.6.11",
"versionStartIncluding": "7.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-30T02:39:34.291Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://discuss.tryton.org/t/security-release-for-issue-14366/8953"
},
{
"url": "https://foss.heptapod.net/tryton/tryton/-/issues/14366"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-66424",
"datePublished": "2025-11-30T00:00:00.000Z",
"dateReserved": "2025-11-30T00:00:00.000Z",
"dateUpdated": "2025-12-01T14:10:29.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-26661 (GCVE-0-2022-26661)
Vulnerability from cvelistv5 – Published: 2022-03-07 22:40 – Updated: 2024-08-03 05:11
VLAI?
Summary
An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:11:44.600Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.tryton.org/issue11219"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"
},
{
"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2945-1] tryton-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
},
{
"name": "[debian-lts-announce] 20220311 [SECURITY] [DLA 2946-1] tryton-proteus security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
},
{
"name": "DSA-5098",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5098"
},
{
"name": "DSA-5099",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5099"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-11T14:06:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.tryton.org/issue11219"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"
},
{
"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2945-1] tryton-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
},
{
"name": "[debian-lts-announce] 20220311 [SECURITY] [DLA 2946-1] tryton-proteus security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
},
{
"name": "DSA-5098",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5098"
},
{
"name": "DSA-5099",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5099"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-26661",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.tryton.org/issue11219",
"refsource": "MISC",
"url": "https://bugs.tryton.org/issue11219"
},
{
"name": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059",
"refsource": "MISC",
"url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"
},
{
"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2945-1] tryton-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
},
{
"name": "[debian-lts-announce] 20220311 [SECURITY] [DLA 2946-1] tryton-proteus security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
},
{
"name": "DSA-5098",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5098"
},
{
"name": "DSA-5099",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5099"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-26661",
"datePublished": "2022-03-07T22:40:11",
"dateReserved": "2022-03-07T00:00:00",
"dateUpdated": "2024-08-03T05:11:44.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26662 (GCVE-0-2022-26662)
Vulnerability from cvelistv5 – Published: 2022-03-07 22:40 – Updated: 2024-08-03 05:11
VLAI?
Summary
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:11:44.228Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.tryton.org/issue11244"
},
{
"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2945-1] tryton-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
},
{
"name": "[debian-lts-announce] 20220311 [SECURITY] [DLA 2946-1] tryton-proteus security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
},
{
"name": "DSA-5098",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5098"
},
{
"name": "DSA-5099",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5099"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-11T14:06:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.tryton.org/issue11244"
},
{
"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2945-1] tryton-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
},
{
"name": "[debian-lts-announce] 20220311 [SECURITY] [DLA 2946-1] tryton-proteus security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
},
{
"name": "DSA-5098",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5098"
},
{
"name": "DSA-5099",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5099"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-26662",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059",
"refsource": "MISC",
"url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"
},
{
"name": "https://bugs.tryton.org/issue11244",
"refsource": "MISC",
"url": "https://bugs.tryton.org/issue11244"
},
{
"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2945-1] tryton-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
},
{
"name": "[debian-lts-announce] 20220311 [SECURITY] [DLA 2946-1] tryton-proteus security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
},
{
"name": "DSA-5098",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5098"
},
{
"name": "DSA-5099",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5099"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-26662",
"datePublished": "2022-03-07T22:40:00",
"dateReserved": "2022-03-07T00:00:00",
"dateUpdated": "2024-08-03T05:11:44.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-2238 (GCVE-0-2012-2238)
Vulnerability from cvelistv5 – Published: 2019-11-21 13:47 – Updated: 2024-08-06 19:26
VLAI?
Summary
trytond 2.4: ModelView.button fails to validate authorization
Severity ?
No CVSS data available.
CWE
- UNKNOWN_TYPE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:26:08.989Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2238"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78435"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/11/10"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/55503"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://hg.tryton.org/2.4/trytond/rev/279f0031b461"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "trytond",
"vendor": "tryton",
"versions": [
{
"status": "affected",
"version": "\u2264 2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "trytond 2.4: ModelView.button fails to validate authorization"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "UNKNOWN_TYPE",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-21T13:47:31",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2238"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78435"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/11/10"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/55503"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://hg.tryton.org/2.4/trytond/rev/279f0031b461"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2012-2238",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "trytond",
"version": {
"version_data": [
{
"version_value": "\u2264 2.4"
}
]
}
}
]
},
"vendor_name": "tryton"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "trytond 2.4: ModelView.button fails to validate authorization"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "UNKNOWN_TYPE"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2012-2238",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2238"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78435",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78435"
},
{
"name": "http://www.openwall.com/lists/oss-security/2012/09/11/10",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2012/09/11/10"
},
{
"name": "http://www.securityfocus.com/bid/55503",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/55503"
},
{
"name": "http://hg.tryton.org/2.4/trytond/rev/279f0031b461",
"refsource": "MISC",
"url": "http://hg.tryton.org/2.4/trytond/rev/279f0031b461"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2012-2238",
"datePublished": "2019-11-21T13:47:31",
"dateReserved": "2012-04-16T00:00:00",
"dateUpdated": "2024-08-06T19:26:08.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10868 (GCVE-0-2019-10868)
Vulnerability from cvelistv5 – Published: 2019-04-05 00:25 – Updated: 2024-08-04 22:32
VLAI?
Summary
In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.
Severity ?
4.3 (Medium)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:32:02.074Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://discuss.tryton.org/t/security-release-for-issue8189/1262"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hg.tryton.org/trytond/rev/f58bbfe0aefb"
},
{
"name": "DSA-4426",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2019/dsa-4426"
},
{
"name": "20190407 [SECURITY] [DSA 4426-1] tryton-server security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/Apr/14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:N/PR:L/S:U/UI:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-08T08:06:06",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://discuss.tryton.org/t/security-release-for-issue8189/1262"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hg.tryton.org/trytond/rev/f58bbfe0aefb"
},
{
"name": "DSA-4426",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2019/dsa-4426"
},
{
"name": "20190407 [SECURITY] [DSA 4426-1] tryton-server security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2019/Apr/14"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-10868",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:N/PR:L/S:U/UI:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://discuss.tryton.org/t/security-release-for-issue8189/1262",
"refsource": "MISC",
"url": "https://discuss.tryton.org/t/security-release-for-issue8189/1262"
},
{
"name": "https://hg.tryton.org/trytond/rev/f58bbfe0aefb",
"refsource": "MISC",
"url": "https://hg.tryton.org/trytond/rev/f58bbfe0aefb"
},
{
"name": "DSA-4426",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2019/dsa-4426"
},
{
"name": "20190407 [SECURITY] [DSA 4426-1] tryton-server security update",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/Apr/14"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-10868",
"datePublished": "2019-04-05T00:25:41",
"dateReserved": "2019-04-04T00:00:00",
"dateUpdated": "2024-08-04T22:32:02.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-0861 (GCVE-0-2015-0861)
Vulnerability from cvelistv5 – Published: 2016-04-13 15:00 – Updated: 2024-08-06 04:26
VLAI?
Summary
model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:26:10.389Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.tryton.org/posts/security-release-for-issue5167.html"
},
{
"name": "DSA-3425",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3425"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.tryton.org/issue5167"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-12-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-04-13T14:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.tryton.org/posts/security-release-for-issue5167.html"
},
{
"name": "DSA-3425",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3425"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.tryton.org/issue5167"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2015-0861",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.tryton.org/posts/security-release-for-issue5167.html",
"refsource": "CONFIRM",
"url": "http://www.tryton.org/posts/security-release-for-issue5167.html"
},
{
"name": "DSA-3425",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3425"
},
{
"name": "https://bugs.tryton.org/issue5167",
"refsource": "CONFIRM",
"url": "https://bugs.tryton.org/issue5167"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2015-0861",
"datePublished": "2016-04-13T15:00:00",
"dateReserved": "2015-01-07T00:00:00",
"dateUpdated": "2024-08-06T04:26:10.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-0215 (GCVE-0-2012-0215)
Vulnerability from cvelistv5 – Published: 2012-07-12 20:00 – Updated: 2024-09-16 16:53
VLAI?
Summary
model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:16:19.981Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-2444",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2012/dsa-2444"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.tryton.org/issue2476"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://hg.tryton.org/trytond/rev/8e64d52ecea4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://news.tryton.org/2012/03/security-releases-for-all-supported.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-07-12T20:00:00Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "DSA-2444",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2012/dsa-2444"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.tryton.org/issue2476"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://hg.tryton.org/trytond/rev/8e64d52ecea4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://news.tryton.org/2012/03/security-releases-for-all-supported.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2012-0215",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-2444",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2012/dsa-2444"
},
{
"name": "https://bugs.tryton.org/issue2476",
"refsource": "CONFIRM",
"url": "https://bugs.tryton.org/issue2476"
},
{
"name": "http://hg.tryton.org/trytond/rev/8e64d52ecea4",
"refsource": "CONFIRM",
"url": "http://hg.tryton.org/trytond/rev/8e64d52ecea4"
},
{
"name": "http://news.tryton.org/2012/03/security-releases-for-all-supported.html",
"refsource": "CONFIRM",
"url": "http://news.tryton.org/2012/03/security-releases-for-all-supported.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2012-0215",
"datePublished": "2012-07-12T20:00:00Z",
"dateReserved": "2011-12-14T00:00:00Z",
"dateUpdated": "2024-09-16T16:53:53.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}