CVE-2022-26661
MEDIUM6.5EPSS 0.48%tryton-proteus - security update
Published: 3/11/2022Modified: 4/28/2026
Description
An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.
Affected packages (9)
- Debian/tryton-proteusfrom 0, < 5.0.1-3+deb10u1
- Debian/tryton-proteusfrom 0, < 5.0.8-1+deb11u1
- Debian/tryton-proteusfrom 0, < 4.2.0-1+deb9u1
- Debian/tryton-serverfrom 0, < 4.2.1-2+deb9u2
- Debian/tryton-serverfrom 0, < 5.0.33-2+deb11u1
- Debian/tryton-serverfrom 0, < 5.0.4-2+deb10u1
- PyPI/proteus>= 5.0.0, < 5.0.12
- PyPI/tryton>= 5.0.0, < 5.0.12, >= 6.0.0, < 6.0.5, >= 6.2.0, < 6.2.2, < 6.2.6, < 6.0.16, < 5.0.46
- PyPI/trytond>= 5.0.0, < 5.0.46
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References (10)
- ADVISORYhttps://bugs.tryton.org/issue11219
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-26661
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-26661
- PATCHhttps://hg.tryton.org/trytond
- WEBhttps://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059
- WEBhttps://foss.heptapod.net/tryton/tryton/-/issues/11219
- WEBhttps://lists.debian.org/debian-lts-announce/2022/03/msg00016.html
- WEBhttps://lists.debian.org/debian-lts-announce/2022/03/msg00017.html
- WEBhttps://www.debian.org/security/2022/dsa-5098
- WEBhttps://www.debian.org/security/2022/dsa-5099