CVE-2016-1242

Name of the Vulnerable Software and Affected Versions Tryton versions prior to 3.2.17 Tryton versions 3.4.x prior to 3.4.14 Tryton versions 3.6.x prior to 3.6.12 Tryton versions 3.8.x prior to 3.8.8 Tryton versions 4.x prior to 4.0.4

Description The issue allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or other unspecified vectors. This is related to the file open function in Tryton.

Recommendations For versions prior to 3.2.17, update to version 3.2.17 or later. For versions 3.4.x prior to 3.4.14, update to version 3.4.14 or later. For versions 3.6.x prior to 3.6.12, update to version 3.6.12 or later. For versions 3.8.x prior to 3.8.8, update to version 3.8.8 or later. For versions 4.x prior to 4.0.4, update to version 4.0.4 or later. As a temporary workaround, consider restricting access to the file open function until a patch is available. Avoid using the name parameter in affected API endpoints until the issue is resolved.