CVE-2022-26662 – trytond

Package

Manager: pip
Name: trytond
Vulnerable Version: >=5.0.0 <5.0.46 || >=6.0.0 <6.0.16 || >=6.1.0 <6.2.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.04112 pctl0.88164

Details

XML Entity Expansion in trytond and proteus An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.

Metadata

Created: 2022-03-11T00:02:04Z
Modified: 2022-03-28T15:56:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-pm3h-mm62-pwm8/GHSA-pm3h-mm62-pwm8.json
CWE IDs: ["CWE-776"]
Alternative ID: GHSA-pm3h-mm62-pwm8
Finding: F083
Auto approve: 1