Albert Cervera has found that trytond allows to execute reports for records that user has no read access and also for reports limited to a set of group that the user is not.

Impact

CVSS v3.0 Base Score: 4.3

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Scope: Unchanged
• Confidentiality: Low
• Integrity: None
• Availability: None

Workaround

There is no known workaround.

Resolution

All affected users should upgrade trytond to the latest version.

Affected versions per series:

• trytond:
  • 7.2: <= 7.2.8
  • 7.0: <= 7.0.17
  • 6.0: <= 6.0.51

Non affected versions per series:

• trytond:
  • 7.2: >= 7.2.9
  • 7.0: >= 7.0.18
  • 6.0: >= 6.0.52

Reference

• https://bugs.tryton.org/13505
• https://bugs.tryton.org/13506

Concerns?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the confidential checkbox checked.

1 post - 1 participant

Read full topic