CVSS: 6.5EPSS: 0%CPEs: 9EXPL: 1CVE-2022-26661 – Debian Security Advisory 5099-1
https://notcve.org/view.php?id=CVE-2022-26661
07 Mar 2022 — An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system. Se ha detectado un problema de tipo XXE en Tryton Application Platform (Server) versiones 5.x hasta 5.0.45, versiones ... • https://bugs.tryton.org/issue11219 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 3%CPEs: 9EXPL: 0CVE-2022-26662 – Debian Security Advisory 5099-1
https://notcve.org/view.php?id=CVE-2022-26662
07 Mar 2022 — An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server. Se ha detectado un problema de tipo XML Entity Expansion (XEE) en Tryton Application Platform (Server) ve... • https://bugs.tryton.org/issue11244 • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-2238
https://notcve.org/view.php?id=CVE-2012-2238
21 Nov 2019 — trytond 2.4: ModelView.button fails to validate authorization trytond versión 2.4: ModelView.button presenta un fallo al comprobar la autorización. • http://hg.tryton.org/2.4/trytond/rev/279f0031b461 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2019-10868 – Debian Security Advisory 4426-1
https://notcve.org/view.php?id=CVE-2019-10868
05 Apr 2019 — In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values. En trytond/model/modelstorage.py en Tryton, en las versiones 4.2 anteriores a la 4.2.21, las 4.4 anteriores a la 4.4.19, las 4.6 anteriores a la 4.6.14, las 4.8 anteriores a la 4.8.10 y las .50 anteriores a la 5.0.6, un usuario no autentic... • https://discuss.tryton.org/t/security-release-for-issue8189/1262 • CWE-862: Missing Authorization •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19443
https://notcve.org/view.php?id=CVE-2018-19443
22 Nov 2018 — The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle. El cliente en Tryton, en versiones 5.x anteriores a la 5.0.1, intenta establecer una conexión con el bus en texto claro en vez de cifrado bajo ciertas circunstancias en bus.py y jsonrpc.py. El int... • https://bugs.tryton.org/issue7792 • CWE-384: Session Fixation •
CVSS: 9.0EPSS: 1%CPEs: 5EXPL: 0CVE-2014-6633
https://notcve.org/view.php?id=CVE-2014-6633
12 Apr 2018 — The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, 2.8.x before 2.8.11, 3.0.x before 3.0.7, and 3.2.x before 3.2.3 allows remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the collection.domain in the webdav module or (2) the formula field in the price_list module. La función safe_eval en trytond en Tryton, en versiones anteriores a la 2.4.15, versiones 2.6.x anteriores a la 2.6.14, versiones 2.8.x anteriores a la 2.8.11, versiones 3.0.x an... • http://www.tryton.org/posts/security-release-for-issue4155.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.3EPSS: 0%CPEs: 99EXPL: 0CVE-2017-0360 – Debian Security Advisory 3826-1
https://notcve.org/view.php?id=CVE-2017-0360
04 Apr 2017 — file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authenticated users with certain permissions to read arbitrary files via a "same root name but with a suffix" attack. NOTE: This vulnerability exists because of an incomplete fix for CVE-2016-1242. Archivo abierto en Tryton 3.x y 4.x hasta la versión 4.2.2 permite a los usuarios autenticados remotos con ciertos permisos leer archivos arbitrarios mediante un ataque de "mismo nombre de raíz pero con sufijo". NOTA: Esta vulnerabilidad existe debido a ... • http://hg.tryton.org/trytond?cmd=changeset%3Bnode=472510fdc6f8 • CWE-269: Improper Privilege Management •
CVSS: 5.3EPSS: 0%CPEs: 41EXPL: 0CVE-2016-1241
https://notcve.org/view.php?id=CVE-2016-1241
07 Sep 2016 — Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors. Tryton 3.x en versiones anteriores a 3.2.17, 3.4.x en versiones anteriores a 3.4.14, 3.6.x en versiones anteriores a 3.6.12, 3.8.x en versiones anteriores a 3.8.8 y 4.x en versiones anteriores a 4.0.4 permiten a usuarios remotos autenticados descubrir hashes de contraseñas de usuario a través de vectores no esp... • http://www.debian.org/security/2016/dsa-3656 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.4EPSS: 0%CPEs: 41EXPL: 0CVE-2016-1242
https://notcve.org/view.php?id=CVE-2016-1242
07 Sep 2016 — file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors. file_open en Tryton en versiones anteriores a 3.2.17, 3.4.x en versiones anteriores a 3.4.14, 3.6.x en versiones anteriores a 3.6.12, 3.8.x en versiones anteriores a 3.8.8 y 4.x en versiones anteriores a 4.0.4 permite a usuarios remotos autenticados con cier... • http://www.debian.org/security/2016/dsa-3656 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 1CVE-2015-0861 – Debian Security Advisory 3425-1
https://notcve.org/view.php?id=CVE-2015-0861
17 Dec 2015 — model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records. model/modelstorage.py en trytond 3.2.x en versiones anteriores a 3.2.10, 3.4.x en versiones anteriores a 3.4.8, 3.6.x en versiones anteriores a 3.6.5 y 3.8.x en versiones anteriores a 3.8.1 permite a usuarios remotos autenticados eludir las restricciones destinadas... • http://www.debian.org/security/2015/dsa-3425 • CWE-264: Permissions, Privileges, and Access Controls •