Albert Cervera has found that trytond allows to execute reports for records that user has no read access and also for reports limited to a set of group that the user is not.
Impact
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality: Low
- Integrity: None
- Availability: None
Workaround
There is no known workaround.
Resolution
All affected users should upgrade trytond to the latest version.
Affected versions per series:
trytond:- 7.2: <= 7.2.8
- 7.0: <= 7.0.17
- 6.0: <= 6.0.51
Non affected versions per series:
trytond:- 7.2: >= 7.2.9
- 7.0: >= 7.0.18
- 6.0: >= 6.0.52
Reference
Concerns?
Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the confidential checkbox checked.