CVE-2014-6633 – trytond

Package

Manager: pip
Name: trytond
Vulnerable Version: >=2.4.0 <2.4.15 || >=2.6.0 <2.6.14 || >=2.8.0 <2.8.11 || >=3.2.0 <3.2.3 || >=3.0.0 <3.0.7

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01089 pctl0.77092

Details

Tryton vulnerable to arbitrary command execution The `safe_eval` function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, 2.8.x before 2.8.11, 3.0.x before 3.0.7, and 3.2.x before 3.2.3 allows remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the `collection.domain` in the webdav module or (2) the formula field in the `price_list` module.

Metadata

Created: 2022-05-14T03:21:41Z
Modified: 2024-11-18T22:55:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-m9jj-5qvj-5fhx/GHSA-m9jj-5qvj-5fhx.json
CWE IDs: ["CWE-77"]
Alternative ID: GHSA-m9jj-5qvj-5fhx
Finding: F422
Auto approve: 1