{"id":"CVE-2019-10868","details":"In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.","aliases":["GHSA-f6f2-pwrj-64h3","PYSEC-2019-127"],"modified":"2026-04-02T01:29:36.732355Z","published":"2019-04-05T01:29:00.207Z","references":[{"type":"ADVISORY","url":"https://discuss.tryton.org/t/security-release-for-issue8189/1262"},{"type":"ADVISORY","url":"https://seclists.org/bugtraq/2019/Apr/14"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4426"},{"type":"FIX","url":"https://hg.tryton.org/trytond/rev/f58bbfe0aefb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tryton/trytond","events":[{"introduced":"26938217164a2f84d2bf0bc851271af0d4880ec0"},{"fixed":"3de46d5399b0e0b22dbdc5206b740c87d4cda5e1"},{"introduced":"02f9c30520d1de6ad17b2f8dd00a997ace1793dc"},{"fixed":"e3ddcfe9d2d92e9549659e83c5de2e44cab6c54f"},{"introduced":"98565b84c9322c84781e2b69670832f8f87362c9"},{"fixed":"b670084567205d83cb3099f286160f29062665f3"},{"introduced":"a64abd4165136b507433812ed42e7f4289405a86"},{"fixed":"6f411f903e77d2527ef5560976de3cbee6526fe1"},{"introduced":"49399603b2eb8d9516df84e3a3855c885fcf9fc5"},{"fixed":"acae5ad5ad40a6ef075720fdc9a38606f6ead244"}],"database_specific":{"versions":[{"introduced":"4.2.0"},{"fixed":"4.2.21"},{"introduced":"4.4.0"},{"fixed":"4.4.19"},{"introduced":"4.6.0"},{"fixed":"4.6.14"},{"introduced":"4.8.0"},{"fixed":"4.8.10"},{"introduced":"5.0.0"},{"fixed":"5.0.6"}]}}],"versions":["4.2.0","4.2.1","4.2.10","4.2.11","4.2.12","4.2.13","4.2.14","4.2.15","4.2.16","4.2.17","4.2.18","4.2.19","4.2.2","4.2.20","4.2.3","4.2.4","4.2.5","4.2.6","4.2.7","4.2.8","4.2.9","4.4.0","4.4.1","4.4.10","4.4.11","4.4.12","4.4.13","4.4.14","4.4.15","4.4.16","4.4.17","4.4.18","4.4.2","4.4.3","4.4.4","4.4.5","4.4.6","4.4.7","4.4.8","4.4.9","4.6.0","4.6.1","4.6.10","4.6.11","4.6.12","4.6.13","4.6.2","4.6.3","4.6.4","4.6.5","4.6.6","4.6.7","4.6.8","4.6.9","4.8.0","4.8.1","4.8.2","4.8.3","4.8.4","4.8.5","4.8.6","4.8.7","4.8.8","4.8.9","5.0.0","5.0.1","5.0.2","5.0.3","5.0.4","5.0.5","5.2.0","5.2.1","5.2.10","5.2.11","5.2.12","5.2.13","5.2.14","5.2.15","5.2.16","5.2.17","5.2.18","5.2.19","5.2.2","5.2.20","5.2.3","5.2.4","5.2.5","5.2.6","5.2.7","5.2.8","5.2.9","5.4.0","5.4.1","5.4.10","5.4.11","5.4.12","5.4.13","5.4.14","5.4.15","5.4.16","5.4.17","5.4.18","5.4.19","5.4.2","5.4.20","5.4.3","5.4.4","5.4.5","5.4.6","5.4.7","5.4.8","5.4.9","5.6.0","5.6.1","5.6.10","5.6.11","5.6.12","5.6.13","5.6.14","5.6.15","5.6.16","5.6.17","5.6.2","5.6.3","5.6.4","5.6.5","5.6.6","5.6.7","5.6.8","5.6.9","5.8.0","5.8.1","5.8.10","5.8.11","5.8.12","5.8.13","5.8.14","5.8.15","5.8.16","5.8.2","5.8.3","5.8.4","5.8.5","5.8.6","5.8.7","5.8.8","5.8.9","6.0.0","6.0.1","6.0.10","6.0.11","6.0.12","6.0.13","6.0.14","6.0.15","6.0.16","6.0.17","6.0.18","6.0.19","6.0.2","6.0.20","6.0.21","6.0.22","6.0.23","6.0.24","6.0.3","6.0.4","6.0.5","6.0.6","6.0.7","6.0.8","6.0.9","6.2.0","6.2.1","6.2.10","6.2.11","6.2.12","6.2.13","6.2.14","6.2.2","6.2.3","6.2.4","6.2.5","6.2.6","6.2.7","6.2.8","6.2.9","6.4.0","6.4.1","6.4.2","6.4.3","6.4.4","6.4.5","6.4.6","6.4.7","6.4.8","6.6.0","6.6.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10868.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}