Vulnerabilities > CVE-2022-26661 - XXE vulnerability in multiple products

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

tryton

debian

CWE-611

NVD

Published: 2022-03-10

Updated: 2022-03-18

Summary

An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.

Vulnerable Configurations

Part	Description	Count
Application	Tryton Tryton Proteus 5.0.0 Tryton Proteus 5.0.11 Tryton Proteus 6.0.0 Tryton Proteus 6.0.4 Tryton Proteus 6.2.0 Tryton Proteus 6.2.1 Tryton Trytond 6.2.0 Tryton Trytond 6.2.5 Tryton Trytond 6.0.0 Tryton Trytond 6.0.15 Tryton Trytond 5.0.0 Tryton Trytond 5.0.1 Tryton Trytond 5.0.2 Tryton Trytond 5.0.3 Tryton Trytond 5.0.4 Tryton Trytond 5.0.5 Tryton Trytond 5.0.6 Tryton Trytond 5.0.7 Tryton Trytond 5.0.8 Tryton Trytond 5.0.9 Tryton Trytond 5.0.10 Tryton Trytond 5.0.11 Tryton Trytond 5.0.12 Tryton Trytond 5.0.13 Tryton Trytond 5.0.14 Tryton Trytond 5.0.15 Tryton Trytond 5.0.16 Tryton Trytond 5.0.17 Tryton Trytond 5.0.18 Tryton Trytond 5.0.19 Tryton Trytond 5.0.20 Tryton Trytond 5.0.21 Tryton Trytond 5.0.22 Tryton Trytond 5.0.23 Tryton Trytond 5.0.24 Tryton Trytond 5.0.25 Tryton Trytond 5.0.45	37
OS	Debian Debian Debian Linux 9.0 Debian Debian Linux 10.0 Debian Debian Linux 11.0	3

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References