Debian Tryton-Server vulnerabilities

13 known vulnerabilities affecting debian/tryton-server.

Total CVEs
13
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM9LOW1

Vulnerabilities

Page 1 of 1
CVE-2025-66423HIGHCVSS 7.1fixed in tryton-server 6.0.29-2+deb12u4 (bookworm)2025
CVE-2025-66423 [HIGH] CVE-2025-66423: tryton-server - Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of... Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. Scope: local bookworm: resolved (fixed in 6.0.29-2+deb12u4) bullseye: resolved forky: resolved (fixed in 7.0.40-1) sid: resolved (fixed in 7.0.40-1) trixie: resolved (fixed in 7.0.30-1+deb13u1)
debian
CVE-2025-66424MEDIUMCVSS 6.5fixed in tryton-server 6.0.29-2+deb12u4 (bookworm)2025
CVE-2025-66424 [MEDIUM] CVE-2025-66424: tryton-server - Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export.... Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. Scope: local bookworm: resolved (fixed in 6.0.29-2+deb12u4) bullseye: resolved (fixed in 5.0.33-2+deb11u4) forky: resolved (fixed in 7.0.40-1) sid: resolved (fixed in 7.0.40-1) trixie: resolved (fixed in 7.0.30-1+deb13u1)
debian
CVE-2025-66422MEDIUMCVSS 4.3fixed in tryton-server 6.0.29-2+deb12u4 (bookworm)2025
CVE-2025-66422 [MEDIUM] CVE-2025-66422: tryton-server - Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-b... Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. Scope: local bookworm: resolved (fixed in 6.0.29-2+deb12u4) bullseye: resolved (fixed in 5.0.33-2+deb11u4) forky: resolved (fixed in 7.0.40-1) sid: resolved (fixed in 7.0.40-1) trixie: resolved (
debian
CVE-2022-26662HIGHCVSS 7.5fixed in tryton-proteus 6.0.5-1 (bookworm)2022
CVE-2022-26662 [HIGH] CVE-2022-26662: tryton-proteus - An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platfor... An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC messag
debian
CVE-2022-26661MEDIUMCVSS 6.5fixed in tryton-proteus 6.0.5-1 (bookworm)2022
CVE-2022-26661 [MEDIUM] CVE-2022-26661: tryton-proteus - An XXE issue was discovered in Tryton Application Platform (Server) 5.x through ... An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to acc
debian
CVE-2019-10868MEDIUMCVSS 6.5fixed in tryton-server 5.0.4-2 (bookworm)2019
CVE-2019-10868 [MEDIUM] CVE-2019-10868: tryton-server - In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19,... In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values. Scope: local bookworm: resolved (fixed in 5.0.4-2) bullseye: resolved (fixed in 5.0.4-2
debian
CVE-2017-0360MEDIUMCVSS 4.4fixed in tryton-server 4.2.1-2 (bookworm)2017
CVE-2017-0360 [MEDIUM] CVE-2017-0360: tryton-server - file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authenticated users ... file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authenticated users with certain permissions to read arbitrary files via a "same root name but with a suffix" attack. NOTE: This vulnerability exists because of an incomplete fix for CVE-2016-1242. Scope: local bookworm: resolved (fixed in 4.2.1-2) bullseye: resolved (fixed in 4.2.1-2) forky: resolved
debian
CVE-2016-1241MEDIUMCVSS 5.3fixed in tryton-server 4.0.4-1 (bookworm)2016
CVE-2016-1241 [MEDIUM] CVE-2016-1241: tryton-server - Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before... Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors. Scope: local bookworm: resolved (fixed in 4.0.4-1) bullseye: resolved (fixed in 4.0.4-1) forky: resolved (fixed in 4.0.4-1) sid: resolved (fixed in 4.0.4-1) trixi
debian
CVE-2016-1242MEDIUMCVSS 4.4fixed in tryton-server 4.0.4-1 (bookworm)2016
CVE-2016-1242 [MEDIUM] CVE-2016-1242: tryton-server - file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8... file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors. Scope: local bookworm: resolved (fixed in 4.0.4-1) bullseye: resolved (fixed in 4.0.4-1) forky: resolved (fi
debian
CVE-2015-0861MEDIUMCVSS 4.3fixed in tryton-server 3.8.1-1 (bookworm)2015
CVE-2015-0861 [MEDIUM] CVE-2015-0861: tryton-server - model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x ... model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records. Scope: local bookworm: resolved (fixed in 3.8.1-1) bullseye: resolved (fixed in 3.8.1-1) forky: resolved (fixed in
debian
CVE-2014-6633HIGHCVSS 8.8fixed in tryton-server 3.2.3-1 (bookworm)2014
CVE-2014-6633 [HIGH] CVE-2014-6633: tryton-server - The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, ... The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, 2.8.x before 2.8.11, 3.0.x before 3.0.7, and 3.2.x before 3.2.3 allows remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the collection.domain in the webdav module or (2) the formula field in the price_list module. Scope: local bookworm: resolve
debian
CVE-2012-0215MEDIUMCVSS 5.5fixed in tryton-server 2.2.2-1 (bookworm)2012
CVE-2012-0215 [MEDIUM] CVE-2012-0215: tryton-server - model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0... model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call. Scope: local bookworm: resolved (fixed in 2
debian
CVE-2012-2238LOWCVSS 7.52012
CVE-2012-2238 [HIGH] CVE-2012-2238: tryton-server - trytond 2.4: ModelView.button fails to validate authorization trytond 2.4: ModelView.button fails to validate authorization Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved
debian