Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2022-26661

An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.

Related bugs and status

CVE-2022-26661 (Candidate) is related to these bugs:

Bug #1971107: Versions in Focal and Jammy are vulnerable to CVE-2022-26661 and CVE-2022-26662

Summary				In	Importance	Status
	1971107	Versions in Focal and Jammy are vulnerable to CVE-2022-26661 and CVE-2022-26662		tryton-proteus (Ubuntu)	Undecided	In Progress
	1971107	Versions in Focal and Jammy are vulnerable to CVE-2022-26661 and CVE-2022-26662		tryton-server (Ubuntu)	Undecided	In Progress

See the

CVE page on Mitre.org for more details.

References

MISC: https://bugs.tryton.or...
MISC: https://discuss.tryton...
MLIST: [debian-lts-announce] ...
MLIST: [debian-lts-announce] ...
DEBIAN: DSA-5098
DEBIAN: DSA-5099