Cédric Krier

**Name of the Vulnerable Software and Affected Versions** python-sql (affected versions not specified) **Description** A vulnerability was found in python-sql where unary operators do not escape non-Expression, such as `And` and `Or`. This makes any system exposing those vulnerable to an SQL injection attack, allowing a remote attacker to execute arbitrary SQL code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tryton versions 5.0.0 **Description** The issue arises when the client attempts to establish a connection to the bus in cleartext instead of using encryption under specific circumstances, as seen in bus.py and jsonrpc.py. Although the connection attempt fails, it includes the current user session in the header, making it susceptible to session theft by a man-in-the-middle. **Recommendations** For Tryton version 5.0.0, update to version 5.0.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** trytond versions 3.2.x through 3.2.9 trytond versions 3.4.x through 3.4.7 trytond versions 3.6.x through 3.6.4 trytond versions 3.8.x through 3.8.0 **Description** The issue allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records. **Recommendations** For trytond versions 3.2.x through 3.2.9, update to version 3.2.10 or later. For trytond versions 3.4.x through 3.4.7, update to version 3.4.8 or later. For trytond versions 3.6.x through 3.6.4, update to version 3.6.5 or later. For trytond versions 3.8.x through 3.8.0, update to version 3.8.1 or later.