CVE-2022-26661 — XML External Entity (XXE) Injection in Proteus

CWE-611 — XML External Entity (XXE) Injection5 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.5%

top 34.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tryton Proteus Tryton Trytond Labcenter Electronics Proteus +3 more

Timeline

PublishedMar 10

Latest updateMar 11

Description

An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

▶debiandebian/tryton-server< tryton-proteus 6.0.5-1 (bookworm)

▶NVDtryton/proteus5.0.0 — 5.0.12+2

▶debiandebian/tryton-proteus< tryton-proteus 6.0.5-1 (bookworm)

▶NVDtryton/trytond5.0.0 — 5.0.46+2

▶PyPItryton/trytond5.0.0 — 5.0.46+2

Also affects: Debian Linux 10.0, 11.0, 9.0

🔴Vulnerability Details

OSV

Improper Restriction of XML External Entity Reference in trytond and proteus↗2022-03-11

▶

GHSA

Improper Restriction of XML External Entity Reference in trytond and proteus↗2022-03-11

▶

OSV

CVE-2022-26661: An XXE issue was discovered in Tryton Application Platform (Server) 5↗2022-03-10

▶

📋Vendor Advisories

Debian

CVE-2022-26661: tryton-proteus - An XXE issue was discovered in Tryton Application Platform (Server) 5.x through ...↗2022

▶