{ "affected": [ { "database_specific": { "unresolved_ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "9.0" } ] } ] }, "ranges": [ { "database_specific": { "versions": [ { "introduced": "4.2.0" }, { "fixed": "4.2.21" }, { "introduced": "4.4.0" }, { "fixed": "4.4.19" }, { "introduced": "4.6.0" }, { "fixed": "4.6.14" }, { "introduced": "4.8.0" }, { "fixed": "4.8.10" }, { "introduced": "5.0.0" }, { "fixed": "5.0.6" } ] }, "events": [ { "introduced": "26938217164a2f84d2bf0bc851271af0d4880ec0" }, { "fixed": "3de46d5399b0e0b22dbdc5206b740c87d4cda5e1" }, { "introduced": "02f9c30520d1de6ad17b2f8dd00a997ace1793dc" }, { "fixed": "e3ddcfe9d2d92e9549659e83c5de2e44cab6c54f" }, { "introduced": "98565b84c9322c84781e2b69670832f8f87362c9" }, { "fixed": "b670084567205d83cb3099f286160f29062665f3" }, { "introduced": "a64abd4165136b507433812ed42e7f4289405a86" }, { "fixed": "6f411f903e77d2527ef5560976de3cbee6526fe1" }, { "introduced": "49399603b2eb8d9516df84e3a3855c885fcf9fc5" }, { "fixed": "acae5ad5ad40a6ef075720fdc9a38606f6ead244" } ], "repo": "https://github.com/tryton/trytond", "type": "GIT" } ] } ], "details": "In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.", "id": "CVE-2019-10868", "modified": "2026-04-01T23:09:11.983693905Z", "published": "2019-04-05T01:29:00.207Z", "references": [ { "type": "ADVISORY", "url": "https://discuss.tryton.org/t/security-release-for-issue8189/1262" }, { "type": "ADVISORY", "url": "https://seclists.org/bugtraq/2019/Apr/14" }, { "type": "ADVISORY", "url": "https://www.debian.org/security/2019/dsa-4426" }, { "type": "FIX", "url": "https://hg.tryton.org/trytond/rev/f58bbfe0aefb" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ] }