CVE-2022-26661 – trytond

Package

Manager: pip
Name: trytond
Vulnerable Version: >=5.0.0 <5.0.46 || >=6.0.0 <6.0.16 || >=6.1.0 <6.2.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00474 pctl0.63836

Details

Improper Restriction of XML External Entity Reference in trytond and proteus An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.

Metadata

Created: 2022-03-11T00:02:02Z
Modified: 2022-03-28T15:56:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-cj78-rgw3-4h5p/GHSA-cj78-rgw3-4h5p.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-cj78-rgw3-4h5p
Finding: F083
Auto approve: 1