VYPR

Trytond

by Tryton

pypi: trytond

Source repositories

CVEs (12)

  • CVE-2020-37014MedJan 30, 2026
    risk 0.42cvss 6.4epss 0.00

    Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which execute in the frontend and…

  • CVE-2016-1242MedSep 7, 2016
    risk 0.29cvss 4.4epss 0.02

    file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors.

  • CVE-2017-0360MedApr 4, 2017
    risk 0.28cvss 5.3epss 0.02

    file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authenticated users with certain permissions to read arbitrary files via a "same root name but with a suffix" attack. NOTE: This vulnerability exists because of an incomplete fix for CVE-2016-1242.

  • CVE-2016-1241MedSep 7, 2016
    risk 0.28cvss 5.3epss 0.02

    Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors.

  • CVE-2015-0861MedApr 13, 2016
    risk 0.21cvss 4.3epss 0.01

    model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records.

  • CVE-2025-66423Nov 30, 2025
    risk 0.00cvss epss 0.00

    Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.

  • CVE-2025-66424Nov 30, 2025
    risk 0.00cvss epss 0.00

    Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.

  • CVE-2025-66422Nov 30, 2025
    risk 0.00cvss epss 0.00

    Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.

  • CVE-2012-2238Nov 21, 2019
    risk 0.00cvss epss 0.02

    trytond 2.4: ModelView.button fails to validate authorization

  • CVE-2019-10868Apr 5, 2019
    risk 0.00cvss epss 0.01

    In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.

  • CVE-2013-4510Nov 18, 2013
    risk 0.00cvss epss 0.02

    Directory traversal vulnerability in the client in Tryton 3.0.0, as distributed before 20131104 and earlier, allows remote servers to write arbitrary files via path separators in the extension of a report.

  • CVE-2012-0215Jul 12, 2012
    risk 0.00cvss epss 0.02

    model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2)…