Synopsis

A vulnerability in tryton has been found by Cédric Krier.

With issue8189, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.

Impact

CVSS v3.0 Base Score: 4.3

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Scope: Unchanged
• Confidentiality: Low
• Integrity: None
• Availability: None

Workaround

There are no known workarounds.

Resolution

All affected users should upgrade trytond to the latest version.
Affected versions per series:

• 5.0: <=5.0.5
• 4.8: <=4.8.9
• 4.6: <=4.6.13
• 4.4: <=4.4.18
• 4.2: <=4.2.20

Non affected versions per series:

• 5.0: >=5.0.6
• 4.8: >=4.8.10
• 4.6: >=4.6.14
• 4.4: >=4.4.19
• 4.2: >=4.2.21

Reference

• issue8189

Concern?

Any security concerns should be reported on the bug-tracker at
https://bugs.tryton.org/ with the type security .

CVE-2019-10868 was assigned by the Debian project to this issue. Please include this identifier whenever you refer to this issue.