CVE-2022-26662

high

Description

An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.

References

https://www.debian.org/security/2022/dsa-5099

https://www.debian.org/security/2022/dsa-5098

https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html

https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html

https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059

https://bugs.tryton.org/issue11244

Details

Source: Mitre, NVD

Published: 2022-03-10

Updated: 2022-03-18

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High