CVSS: 6.5EPSS: 0%CPEs: 9EXPL: 1CVE-2022-26661
https://notcve.org/view.php?id=CVE-2022-26661
An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system. Se ha detectado un problema de tipo XXE en Tryton Application Platform (Server) versiones 5.x hasta 5.0.45, versiones 6.x hasta 6.0.15, y versiones 6.1.x y 6.2.x hasta 6.2.5, y Tryton Application Platform (Command Line Client (proteus)) versiones 5.x hasta 5.0.11, versiones 6.x hasta 6.0.4, y versiones 6.1.x y 6.2.x hasta 6.2.1. Un usuario autenticado puede hacer que el servidor analice un archivo XML SEPA diseñado para acceder a archivos arbitrarios en el sistema • https://bugs.tryton.org/issue11219 https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059 https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html https://www.debian.org/security/2022/dsa-5098 https://www.debian.org/security/2022/dsa-5099 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-26662
https://notcve.org/view.php?id=CVE-2022-26662
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server. Se ha detectado un problema de tipo XML Entity Expansion (XEE) en Tryton Application Platform (Server) versiones 5.x hasta 5.0.45, versiones 6.x hasta 6.0.15 y versiones 6.1.x y 6.2.x hasta 6.2.5, y Tryton Application Platform (Command Line Client (proteus)) versiones 5.x hasta 5.0.11, versiones 6.x hasta 6.0.4 y versiones 6.1.x y 6.2.x hasta 6.2.1. Un usuario no autenticado puede enviar un mensaje XML-RPC diseñado para consumir todos los recursos del servidor • https://bugs.tryton.org/issue11244 https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059 https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html https://www.debian.org/security/2022/dsa-5098 https://www.debian.org/security/2022/dsa-5099 • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-2238
https://notcve.org/view.php?id=CVE-2012-2238
trytond 2.4: ModelView.button fails to validate authorization trytond versión 2.4: ModelView.button presenta un fallo al comprobar la autorización. • http://hg.tryton.org/2.4/trytond/rev/279f0031b461 http://www.openwall.com/lists/oss-security/2012/09/11/10 http://www.securityfocus.com/bid/55503 https://exchange.xforce.ibmcloud.com/vulnerabilities/78435 https://security-tracker.debian.org/tracker/CVE-2012-2238 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2019-10868
https://notcve.org/view.php?id=CVE-2019-10868
In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values. En trytond/model/modelstorage.py en Tryton, en las versiones 4.2 anteriores a la 4.2.21, las 4.4 anteriores a la 4.4.19, las 4.6 anteriores a la 4.6.14, las 4.8 anteriores a la 4.8.10 y las .50 anteriores a la 5.0.6, un usuario no autenticado puede ordenar registros en función de un campo para el que no tiene derechos de acceso. Esto podría permitir al usuario adivinar los valores. • https://discuss.tryton.org/t/security-release-for-issue8189/1262 https://hg.tryton.org/trytond/rev/f58bbfe0aefb https://seclists.org/bugtraq/2019/Apr/14 https://www.debian.org/security/2019/dsa-4426 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 1CVE-2015-0861
https://notcve.org/view.php?id=CVE-2015-0861
model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records. model/modelstorage.py en trytond 3.2.x en versiones anteriores a 3.2.10, 3.4.x en versiones anteriores a 3.4.8, 3.6.x en versiones anteriores a 3.6.5 y 3.8.x en versiones anteriores a 3.8.1 permite a usuarios remotos autenticados eludir las restricciones destinadas al acceso y escribir en campos arbitrarios a través de una secuencia de registros. • http://www.debian.org/security/2015/dsa-3425 http://www.tryton.org/posts/security-release-for-issue5167.html https://bugs.tryton.org/issue5167 • CWE-264: Permissions, Privileges, and Access Controls •