Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
https://foss.heptapod.net/tryton/tryton/-/issues/14364
https://discuss.tryton.org/t/security-release-for-issue-14364/8952