Tryton Trytond vulnerabilities

CVE-2025-66423 [HIGH] CWE-863 CVE-2025-66423: Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. Th Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.

CVE-2025-66422 [MEDIUM] CWE-402 CVE-2025-66422: Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) i Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.

CVE-2025-66424 [MEDIUM] CWE-863 CVE-2025-66424: Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7. Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.

CVE-2016-1242 [MEDIUM] CWE-200 Tryton allow authenticated users with certain permissions to read arbitrary files via the name parameter Tryton allow authenticated users with certain permissions to read arbitrary files via the name parameter `file_open` in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors.

CVE-2016-1241 [MEDIUM] CWE-200 Tryton allows users to read the hashed password Tryton allows users to read the hashed password Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors.

CVE-2014-6633 [HIGH] CWE-77 Tryton vulnerable to arbitrary command execution Tryton vulnerable to arbitrary command execution The `safe_eval` function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, 2.8.x before 2.8.11, 3.0.x before 3.0.7, and 3.2.x before 3.2.3 allows remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the `collection.domain` in the webdav module or (2) the formula field in the `price_list` module.

CVE-2017-0360 [MEDIUM] CWE-269 Tryton Information Disclosure Vulnerability Tryton Information Disclosure Vulnerability file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authenticated users with certain permissions to read arbitrary files via a "same root name but with a suffix" attack. NOTE: This vulnerability exists because of an incomplete fix for CVE-2016-1242.

CVE-2022-26662 [HIGH] CWE-776 CVE-2022-26662: An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x throu An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RP

CVE-2022-26661 [MEDIUM] CWE-611 CVE-2022-26661: An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file

CVE-2012-2238 [HIGH] CWE-863 CVE-2012-2238: trytond 2.4: ModelView.button fails to validate authorization trytond 2.4: ModelView.button fails to validate authorization

CVE-2019-10868 [MEDIUM] CWE-862 CVE-2019-10868: In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.

CVE-2015-0861 [MEDIUM] CWE-264 CVE-2015-0861: model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3. model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records.

CVE-2012-0215 [MEDIUM] CWE-264 CVE-2012-0215: model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call.