CVE-2022-26661

medium

Description

An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.

References

https://www.debian.org/security/2022/dsa-5099

https://www.debian.org/security/2022/dsa-5098

https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html

https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html

https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059

https://bugs.tryton.org/issue11219

Details

Source: Mitre, NVD

Published: 2022-03-10

Updated: 2022-03-18

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Severity: Medium