CVE-2022-26661

Name of the Vulnerable Software and Affected Versions Tryton Application Platform (Server) versions 5.x through 5.0.45 Tryton Application Platform (Server) versions 6.x through 6.0.15 Tryton Application Platform (Server) versions 6.1.x through 6.2.5 Tryton Application Platform (Command Line Client (proteus)) versions 5.x through 5.0.11 Tryton Application Platform (Command Line Client (proteus)) versions 6.x through 6.0.4 Tryton Application Platform (Command Line Client (proteus)) versions 6.1.x through 6.2.1

Description An XXE issue was discovered, allowing an authenticated user to make the server parse a crafted XML SEPA file to access arbitrary files on the system.

Recommendations For Tryton Application Platform (Server) versions 5.x through 5.0.45, update to a version later than 5.0.45. For Tryton Application Platform (Server) versions 6.x through 6.0.15, update to a version later than 6.0.15. For Tryton Application Platform (Server) versions 6.1.x through 6.2.5, update to a version later than 6.2.5. For Tryton Application Platform (Command Line Client (proteus)) versions 5.x through 5.0.11, update to a version later than 5.0.11. For Tryton Application Platform (Command Line Client (proteus)) versions 6.x through 6.0.4, update to a version later than 6.0.4. For Tryton Application Platform (Command Line Client (proteus)) versions 6.1.x through 6.2.1, update to a version later than 6.2.1. As a temporary workaround, consider restricting access to XML SEPA file parsing until a patch is available.