Security Release for issue9089


A vulnerability in sao has been found by Cédric Krier .

With issue9089, the web client does not set noreferrer nor noopener to open external links.
An attacker could trick a Tryton user to open a crafted URL which will allow him to take control of web page on which sao is running. He could then steal for example the session.


CVSS v3.0 Base Score: 4.2

  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality: Low
  • Integrity: Low
  • Availability: None


Users must not open non-trusted URLs from the web client.


All affected users should upgrade sao to the latest version.
Affected versions per series:

  • 5.4: <= 5.4.3
  • 5.2: <= 5.2.11
  • 5.0: <=5.0.19

Non affected versions per series:

  • 5.4: >= 5.4.4
  • 5.2: >= 5.2.12
  • 5.0: >= 5.0.20



Any security concerns should be reported on the bug-tracker at with the type security .