http://bugzilla.opensuse.org/show_bug.cgi?id=1197032 Bug ID: 1197032 Summary: VUL-0: CVE-2022-26661: trytond: authenticated user can make the server parse a crafted XML SEPA file Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other URL: https://smash.suse.de/issue/325791/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Basesystem Assignee: axel.braun@gmx.de Reporter: abergmann@suse.com QA Contact: security-team@suse.de CC: eldy@destailleur.fr Found By: Security Response Team Blocker: --- CVE-2022-26661 An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26661 http://www.debian.org/security/-1/dsa-5099 http://www.debian.org/security/-1/dsa-5098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26661 https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/... https://bugs.tryton.org/issue11219 -- You are receiving this mail because: You are on the CC list for the bug.