CVSS: 6.5EPSS: 0%CPEs: 9EXPL: 1CVE-2022-26661
https://notcve.org/view.php?id=CVE-2022-26661
An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system. Se ha detectado un problema de tipo XXE en Tryton Application Platform (Server) versiones 5.x hasta 5.0.45, versiones 6.x hasta 6.0.15, y versiones 6.1.x y 6.2.x hasta 6.2.5, y Tryton Application Platform (Command Line Client (proteus)) versiones 5.x hasta 5.0.11, versiones 6.x hasta 6.0.4, y versiones 6.1.x y 6.2.x hasta 6.2.1. Un usuario autenticado puede hacer que el servidor analice un archivo XML SEPA diseñado para acceder a archivos arbitrarios en el sistema • https://bugs.tryton.org/issue11219 https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059 https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html https://www.debian.org/security/2022/dsa-5098 https://www.debian.org/security/2022/dsa-5099 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-26662
https://notcve.org/view.php?id=CVE-2022-26662
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server. Se ha detectado un problema de tipo XML Entity Expansion (XEE) en Tryton Application Platform (Server) versiones 5.x hasta 5.0.45, versiones 6.x hasta 6.0.15 y versiones 6.1.x y 6.2.x hasta 6.2.5, y Tryton Application Platform (Command Line Client (proteus)) versiones 5.x hasta 5.0.11, versiones 6.x hasta 6.0.4 y versiones 6.1.x y 6.2.x hasta 6.2.1. Un usuario no autenticado puede enviar un mensaje XML-RPC diseñado para consumir todos los recursos del servidor • https://bugs.tryton.org/issue11244 https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059 https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html https://www.debian.org/security/2022/dsa-5098 https://www.debian.org/security/2022/dsa-5099 • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •