Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Tryton Subscribe
Total 12 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-26662 2 Debian, Tryton 3 Debian Linux, Proteus, Trytond 2022-03-18 5.0 MEDIUM 7.5 HIGH
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.
CVE-2022-26661 2 Debian, Tryton 3 Debian Linux, Proteus, Trytond 2022-03-18 4.0 MEDIUM 6.5 MEDIUM
An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.
CVE-2019-10868 2 Debian, Tryton 2 Debian Linux, Trytond 2020-08-26 4.0 MEDIUM 6.5 MEDIUM
In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.
CVE-2012-2238 1 Tryton 1 Trytond 2019-11-22 5.0 MEDIUM 7.5 HIGH
trytond 2.4: ModelView.button fails to validate authorization
CVE-2017-0360 1 Tryton 1 Tryton 2019-10-02 3.5 LOW 5.3 MEDIUM
file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authenticated users with certain permissions to read arbitrary files via a "same root name but with a suffix" attack. NOTE: This vulnerability exists because of an incomplete fix for CVE-2016-1242.
CVE-2015-0861 2 Debian, Tryton 2 Debian Linux, Trytond 2019-02-01 4.0 MEDIUM 4.3 MEDIUM
model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records.
CVE-2018-19443 1 Tryton 1 Tryton 2018-12-19 4.3 MEDIUM 5.9 MEDIUM
The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.
CVE-2014-6633 1 Tryton 1 Tryton 2018-05-22 9.0 HIGH 8.8 HIGH
The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, 2.8.x before 2.8.11, 3.0.x before 3.0.7, and 3.2.x before 3.2.3 allows remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the collection.domain in the webdav module or (2) the formula field in the price_list module.
CVE-2016-1242 1 Tryton 1 Tryton 2017-01-12 4.0 MEDIUM 4.4 MEDIUM
file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors.
CVE-2016-1241 1 Tryton 1 Tryton 2016-09-08 3.5 LOW 5.3 MEDIUM
Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors.
CVE-2013-4510 1 Tryton 1 Tryton 2013-11-19 7.8 HIGH N/A
Directory traversal vulnerability in the client in Tryton 3.0.0, as distributed before 20131104 and earlier, allows remote servers to write arbitrary files via path separators in the extension of a report.
CVE-2012-0215 1 Tryton 1 Trytond 2012-08-08 5.5 MEDIUM N/A
model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call.