Tryton News: Security Releate for issue8189

@ced wrote:

Synopsis

A vulnerability in tryton has been found by Cédric Krier.

With issue8189, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.

Impact

CVSS v3.0 Base Score: 4.3

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality: Low
  • Integrity: None
  • Availability: None

Workaround

There are no known workarounds.

Resolution

All affected users should upgrade trytond to the latest version.
Affected versions per series:

  • 5.0: <=5.0.5
  • 4.8: <=4.8.9
  • 4.6: <=4.6.13
  • 4.4: <=4.4.18
  • 4.2: <=4.2.20

Non affected versions per series:

  • 5.0: >=5.0.6
  • 4.8: >=4.8.10
  • 4.6: >=4.6.14
  • 4.4: >=4.4.19
  • 4.2: >=4.2.21

Reference

Concern?

Any security concerns should be reported on the bug-tracker at
https://bugs.tryton.org/ with the type security .

Posts: 1

Participants: 1

Read full topic

Planet Python

Leave a Reply

Your email address will not be published. Required fields are marked *