"Mahdi Afshar has found that trytond does not enforce access rights for the route of the HTML editor (since version 6.0). Impact CVSS v3.0 Base Score: 7.1 Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: Low Availability: None"
"Workaround A possible workaround is to block access to the html editor. Resolution All affected users should upgrade trytond to the latest version. Affected versions per series: Non affected versions per series: Reference Concerns? Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the confidential checkbox checked."
Trytond does not enforce access rights for the HTML editor route starting with version 6.0, permitting unauthorized access. The issue was identified by Mahdi Afshar. The vulnerability has a CVSS v3.0 base score of 7.1, with network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, low integrity impact, and no availability impact. A possible workaround is to block access to the HTML editor. The recommended resolution is to upgrade trytond to the latest version. Security concerns should be reported on the Tryton bug-tracker with the confidential checkbox checked.
Read at Tryton Discussion
Unable to calculate read time
Collection
[
|
...
]