Synopsis
A vulnerability in trytond has been found by Maxime Richez.
With issue9108, the trytond server does not enforce access right on wizard relying on the access right of the model on which it runs.
So an authenticated user can execute some wizards for which he does not have the right.
Impact
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality: None
- Integrity: Low
- Availability: None
Workaround
The administrator can set explicit access right on those wizards.
Resolution
All affected users should upgrade trytond to the latest version.
Affected versions per series:
- 5.4: <= 5.4.4
- 5.2: <= 5.2.12
- 5.0: <=5.0.18
Non affected versions per series:
- 5.4: >= 5.4.5
- 5.2: >= 5.2.13
- 5.0: >= 5.0.19
Reference
Concern?
Any security concerns should be reported on the bug-tracker at
https://bugs.tryton.org/ with the type security .