PyPI package
trytond
pkg:pypi/trytond
Vulnerabilities (14)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-66424 | — | >= 7.5.0, < 7.6.11 | 7.6.11 | Nov 30, 2025 | Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | ||
| CVE-2025-66423 | — | >= 7.5.0, < 7.6.11 | 7.6.11 | Nov 30, 2025 | Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | ||
| CVE-2025-66422 | — | >= 7.5.0, < 7.6.11 | 7.6.11 | Nov 30, 2025 | Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | ||
| CVE-2022-26661 | — | >= 5.0.0, < 5.0.46 | 5.0.46 | Mar 7, 2022 | An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. | ||
| CVE-2022-26662 | — | >= 5.0.0, < 5.0.46 | 5.0.46 | Mar 7, 2022 | An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x a | ||
| CVE-2012-2238 | — | >= 2.4.0, < 2.4.2 | 2.4.2 | Nov 21, 2019 | trytond 2.4: ModelView.button fails to validate authorization | ||
| CVE-2019-10868 | — | >= 4.2.0, < 4.2.21 | 4.2.21 | Apr 5, 2019 | In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values. | ||
| CVE-2014-6633 | — | >= 2.4.0, < 2.4.15 | 2.4.15 | Apr 12, 2018 | The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, 2.8.x before 2.8.11, 3.0.x before 3.0.7, and 3.2.x before 3.2.3 allows remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the collection.domain in the webdav modu | ||
| CVE-2017-0360 | Med | 5.3 | >= 3.0.0, <= 3.0.17 | — | Apr 4, 2017 | file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authenticated users with certain permissions to read arbitrary files via a "same root name but with a suffix" attack. NOTE: This vulnerability exists because of an incomplete fix for CVE-2016-1242. | |
| CVE-2016-1242 | Med | 4.4 | < 3.2.17 | 3.2.17 | Sep 7, 2016 | file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors. | |
| CVE-2016-1241 | Med | 5.3 | >= 3.0.0, < 3.2.17 | 3.2.17 | Sep 7, 2016 | Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors. | |
| CVE-2015-0861 | Med | 4.3 | >= 3.2.0, < 3.2.10 | 3.2.10 | Apr 13, 2016 | model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records. | |
| CVE-2013-4510 | — | — | — | Nov 18, 2013 | Directory traversal vulnerability in the client in Tryton 3.0.0, as distributed before 20131104 and earlier, allows remote servers to write arbitrary files via path separators in the extension of a report. | ||
| CVE-2012-0215 | — | < 2.4.0 | 2.4.0 | Jul 12, 2012 | model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) wr |
- CVE-2025-66424Nov 30, 2025affected >= 7.5.0, < 7.6.11fixed 7.6.11
Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
- CVE-2025-66423Nov 30, 2025affected >= 7.5.0, < 7.6.11fixed 7.6.11
Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
- CVE-2025-66422Nov 30, 2025affected >= 7.5.0, < 7.6.11fixed 7.6.11
Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
- CVE-2022-26661Mar 7, 2022affected >= 5.0.0, < 5.0.46fixed 5.0.46
An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1.
- CVE-2022-26662Mar 7, 2022affected >= 5.0.0, < 5.0.46fixed 5.0.46
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x a
- CVE-2012-2238Nov 21, 2019affected >= 2.4.0, < 2.4.2fixed 2.4.2
trytond 2.4: ModelView.button fails to validate authorization
- CVE-2019-10868Apr 5, 2019affected >= 4.2.0, < 4.2.21fixed 4.2.21
In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.
- CVE-2014-6633Apr 12, 2018affected >= 2.4.0, < 2.4.15fixed 2.4.15
The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, 2.8.x before 2.8.11, 3.0.x before 3.0.7, and 3.2.x before 3.2.3 allows remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the collection.domain in the webdav modu
- affected >= 3.0.0, <= 3.0.17
file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authenticated users with certain permissions to read arbitrary files via a "same root name but with a suffix" attack. NOTE: This vulnerability exists because of an incomplete fix for CVE-2016-1242.
- affected < 3.2.17fixed 3.2.17
file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors.
- affected >= 3.0.0, < 3.2.17fixed 3.2.17
Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors.
- affected >= 3.2.0, < 3.2.10fixed 3.2.10
model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records.
- CVE-2013-4510Nov 18, 2013
Directory traversal vulnerability in the client in Tryton 3.0.0, as distributed before 20131104 and earlier, allows remote servers to write arbitrary files via path separators in the extension of a report.
- CVE-2012-0215Jul 12, 2012affected < 2.4.0fixed 2.4.0
model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) wr