Security Release for issue #14364

Mahdi Afshar has found that trytond does not enforce access rights for the route of the HTML editor (since version 6.0).

Impact

CVSS v3.0 Base Score: 7.1

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Scope: Unchanged
• Confidentiality: High
• Integrity: Low
• Availability: None

Workaround

A possible workaround is to block access to the html editor.

Resolution

All affected users should upgrade trytond to the latest version.

Affected versions per series:

• trytond:
  • 7.6: <= 7.6.10
  • 7.4: <= 7.4.20
  • 7.0: <= 7.0.39
  • 6.0: <= 6.0.69

Non affected versions per series:

• trytond:
  • 7.6: >= 7.6.11
  • 7.4: >= 7.4.21
  • 7.0: >= 7.0.40
  • 6.0: >= 6.0.70

Reference

• IDOR / Access Control Issue – Unauthorized Access to User Signatures (#14364) · Issues · Tryton / Tryton · GitLab

Concerns?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the confidential checkbox checked.

CVE-2025-66423 was assigned to this issue (s.a. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121241)