CVE-2019-10868 — Missing Authorization in Trytond

CWE-862 — Missing Authorization7 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 49.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tryton Trytond Debian Tryton-server Debian Linux

Timeline

PublishedApr 5

Latest updateApr 15

Description

In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDtryton/trytond4.2.0 — 4.2.21+4

▶PyPItryton/trytond4.2.0 — 4.2.21+4

▶debiandebian/tryton-server< tryton-server 5.0.4-2 (bookworm)

Also affects: Debian Linux 9.0

Patches

Patch: hg.tryton.org ↗Patch: hg.tryton.org ↗

🔴Vulnerability Details

GHSA

Tryton Improper Access Control↗2019-04-10

▶

OSV

Tryton Improper Access Control↗2019-04-10

▶

OSV

CVE-2019-10868: In trytond/model/modelstorage↗2019-04-05

▶

📋Vendor Advisories

Debian

CVE-2019-10868: tryton-server - In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19,...↗2019

▶

💬Community

Bugzilla

CVE-2019-10868 trytond: information disclosure vulnerability in modelstorage.py↗2019-04-15

▶

Bugzilla

CVE-2019-10868 trytond: information disclosure vulnerability in modelstorage.py [fedora-all]↗2019-04-15

▶