{"id":"PYSEC-2019-127","details":"In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.","aliases":["CVE-2019-10868","GHSA-f6f2-pwrj-64h3"],"modified":"2023-11-08T04:00:58.397634Z","published":"2019-04-05T01:29:00Z","references":[{"type":"WEB","url":"https://hg.tryton.org/trytond/rev/f58bbfe0aefb"},{"type":"WEB","url":"https://discuss.tryton.org/t/security-release-for-issue8189/1262"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4426"},{"type":"WEB","url":"https://seclists.org/bugtraq/2019/Apr/14"}],"affected":[{"package":{"name":"trytond","ecosystem":"PyPI","purl":"pkg:pypi/trytond"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.2.0"},{"fixed":"4.2.21"},{"introduced":"4.4.0"},{"fixed":"4.4.19"},{"introduced":"4.6.0"},{"fixed":"4.6.14"},{"introduced":"4.8.0"},{"fixed":"4.8.10"},{"introduced":"5.0.0"},{"fixed":"5.0.6"}]}],"versions":["4.2.0","4.2.1","4.2.2","4.2.3","4.2.4","4.2.5","4.2.6","4.2.7","4.2.8","4.2.9","4.2.10","4.2.11","4.2.12","4.2.13","4.2.14","4.2.15","4.2.16","4.2.17","4.2.18","4.2.19","4.2.20","4.4.0","4.4.1","4.4.2","4.4.3","4.4.4","4.4.5","4.4.6","4.4.7","4.4.8","4.4.9","4.4.10","4.4.11","4.4.12","4.4.13","4.4.14","4.4.15","4.4.16","4.4.17","4.4.18","4.6.0","4.6.1","4.6.2","4.6.3","4.6.4","4.6.5","4.6.6","4.6.7","4.6.8","4.6.9","4.6.10","4.6.11","4.6.12","4.6.13","4.8.0","4.8.1","4.8.2","4.8.3","4.8.4","4.8.5","4.8.6","4.8.7","4.8.8","4.8.9","5.0.0","5.0.1","5.0.2","5.0.3","5.0.4","5.0.5"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/trytond/PYSEC-2019-127.yaml"}}],"schema_version":"1.7.3"}