PT-2019-2178 · Tryton · Tryton
Cedric Krier
·
Published
2019-04-02
·
Updated
2020-08-26
·
CVE-2019-10868
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Tryton versions 4.2 through 4.2.20
Tryton versions 4.4 through 4.4.18
Tryton versions 4.6 through 4.6.13
Tryton versions 4.8 through 4.8.9
Tryton versions 5.0 through 5.0.5
Description
The issue is related to the
modelstorage.py component of the Tryton platform, which allows an authenticated user to order records based on a field for which they have no access right. This may enable the user to guess values, potentially disclosing protected information.Recommendations
For Tryton versions 4.2 through 4.2.20, update to version 4.2.21 or later.
For Tryton versions 4.4 through 4.4.18, update to version 4.4.19 or later.
For Tryton versions 4.6 through 4.6.13, update to version 4.6.14 or later.
For Tryton versions 4.8 through 4.8.9, update to version 4.8.10 or later.
For Tryton versions 5.0 through 5.0.5, update to version 5.0.6 or later.
Fix
Improper Access Control
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Tryton