HIGH 7.1

GHSA-p3p5-xrmv-4j6x

trytond does not enforce access rights for the route of the HTML editor.

Details

Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / trytond

Introduced in: 7.5.0 Fixed in: 7.6.11

Fix pip install --upgrade 'trytond>=7.6.11'

PyPI / trytond

Introduced in: 7.1.0 Fixed in: 7.4.21

Fix pip install --upgrade 'trytond>=7.4.21'

PyPI / trytond

Introduced in: 7.0.0 Fixed in: 7.0.40

Fix pip install --upgrade 'trytond>=7.0.40'

PyPI / trytond

Introduced in: 6.0.0 Fixed in: 6.0.70

Fix pip install --upgrade 'trytond>=6.0.70'

References

https://nvd.nist.gov/vuln/detail/CVE-2025-66423 [ADVISORY]
https://discuss.tryton.org/t/security-release-for-issue-14364/8952 [WEB]
https://foss.heptapod.net/tryton/tryton/-/issues/14364 [WEB]
https://github.com/tryton/trytond [PACKAGE]