Description
An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.
References (6)
Core 6
Core References
Exploit, Issue Tracking, Vendor Advisory x_refsource_misc
https://bugs.tryton.org/issue11219
Vendor Advisory x_refsource_misc
https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2022/dsa-5098
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2022/dsa-5099
Scores
CVSS v3
6.5
EPSS
0.0137
EPSS Percentile
68.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-611
Status
published
Products (7)
debian/debian_linux
9.0
debian/debian_linux
10.0
debian/debian_linux
11.0
pypi/proteus
5.0.0 - 5.0.12PyPI
pypi/trytond
5.0.0 - 5.0.46PyPI
tryton/proteus
5.0.0 - 5.0.12
tryton/trytond
5.0.0 - 5.0.46
Published
Mar 10, 2022
Tracked Since
Feb 18, 2026