Vulnerabilities > CVE-2019-10868 - Missing Authorization vulnerability in multiple products

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

tryton

debian

CWE-862

nessus

NVD

Published: 2019-04-05

Updated: 2020-08-26

Summary

In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.

Vulnerable Configurations

Part	Description	Count
Application	Tryton Tryton Trytond 4.2.0 Tryton Trytond 4.2.1 Tryton Trytond 4.2.2 Tryton Trytond 4.2.3 Tryton Trytond 4.2.4 Tryton Trytond 4.2.5 Tryton Trytond 4.2.6 Tryton Trytond 4.2.7 Tryton Trytond 4.2.8 Tryton Trytond 4.2.9 Tryton Trytond 4.2.10 Tryton Trytond 4.2.11 Tryton Trytond 4.2.12 Tryton Trytond 4.2.13 Tryton Trytond 4.2.14 Tryton Trytond 4.2.15 Tryton Trytond 4.2.16 Tryton Trytond 4.2.17 Tryton Trytond 4.2.18 Tryton Trytond 4.2.19 Tryton Trytond 4.2.20 Tryton Trytond 4.4.0 Tryton Trytond 4.4.1 Tryton Trytond 4.4.2 Tryton Trytond 4.4.3 Tryton Trytond 4.4.4 Tryton Trytond 4.4.5 Tryton Trytond 4.4.6 Tryton Trytond 4.4.7 Tryton Trytond 4.4.8 Tryton Trytond 4.4.9 Tryton Trytond 4.4.10 Tryton Trytond 4.4.11 Tryton Trytond 4.4.12 Tryton Trytond 4.4.13 Tryton Trytond 4.4.14 Tryton Trytond 4.4.15 Tryton Trytond 4.4.16 Tryton Trytond 4.4.17 Tryton Trytond 4.4.18 Tryton Trytond 4.6.0 Tryton Trytond 4.6.1 Tryton Trytond 4.6.2 Tryton Trytond 4.6.3 Tryton Trytond 4.6.4 Tryton Trytond 4.6.5 Tryton Trytond 4.6.6 Tryton Trytond 4.6.7 Tryton Trytond 4.6.8 Tryton Trytond 4.6.9 Tryton Trytond 4.6.10 Tryton Trytond 4.6.11 Tryton Trytond 4.6.12 Tryton Trytond 4.6.13 Tryton Trytond 4.8.0 Tryton Trytond 4.8.1 Tryton Trytond 4.8.2 Tryton Trytond 4.8.3 Tryton Trytond 4.8.4 Tryton Trytond 4.8.5 Tryton Trytond 4.8.6 Tryton Trytond 4.8.7 Tryton Trytond 4.8.8 Tryton Trytond 4.8.9 Tryton Trytond 5.0.0 Tryton Trytond 5.0.1 Tryton Trytond 5.0.2 Tryton Trytond 5.0.3 Tryton Trytond 5.0.4 Tryton Trytond 5.0.5	70
OS	Debian Debian Debian Linux 9.0	1

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

Nessus

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-4426.NASL
description	Cedric Krier discovered that missing access validation in Tryton could result in information disclosure .
last seen	2020-06-01
modified	2020-06-02
plugin id	123800
published	2019-04-08
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/123800
title	Debian DSA-4426-1 : tryton-server - security update

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

References