[tryton-announces] Security Release for issues #13505 and #13506

[News - Tryton Discussion: ced]

Security Release for issues #13505 and #13506 Albert Cervera has found that trytond allows to execute reports for records that user has no read access and also for reports limited to a set of group that the user is not. Impact CVSS v3.0 Base Score: 4.3 Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None Workaround There is no known workaround. Resolution All affected users should upgrade trytond to the latest version. Affected versions per series: trytond: 7.2: <= 7.2.8 7.0: <= 7.0.17 6.0: <= 6.0.51 Non affected versions per series: trytond: 7.2: >= 7.2.9 7.0: >= 7.0.18 6.0: >= 6.0.52 Reference https://bugs.tryton.org/13505 https://bugs.tryton.org/13506 Concerns? Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the confidential checkbox checked. 2 posts - 2 participants Read full topic URL: https://discuss.tryton.org/t/security-release-for-issues-13505-and-13506/7846