Security Release for issue #14363

ced · November 21, 2025, 3:00pm

Abdulfatah Abdillahi has found that sao does not escape the completion values. The content of completion is generally the record name which may be edited in many ways depending on the model. The content may include some JavaScript which is executed in the same context as sao which gives access to sensitive data such as the session.

Impact

CVSS v3.0 Base Score: 7.3

Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: Required
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: None

Workaround

There is no general workaround.

Resolution

All affected users should upgrade sao to the latest version.

Affected versions per series:

sao:
- 7.6: <= 7.6.10
- 7.4: <= 7.4.20
- 7.0: <= 7.0.39
- 6.0: <= 6.0.68

Non affected versions per series:

sao:
- 7.6: >= 7.6.11
- 7.4: >= 7.4.21
- 7.0: >= 7.0.40
- 6.0: >= 6.0.69

Reference

Stored XSS Vulnerability Found in Party Field Leading to Arbitrary JavaScript Execution (#14363) · Issues · Tryton / Tryton · GitLab

Concerns?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the confidential checkbox checked.

Topic		Replies	Views
Security Release for issue9405 News security	1	1081	July 29, 2020
Security Release for issue9453 News security	1	1427	August 9, 2020
Security Release for issue9351 News security	0	1659	May 26, 2020
Security Release for issue9394 News security	1	1294	July 29, 2020
Security Release for issue #14290 News security	1	266	November 20, 2025