model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: debian

Published: 2012-07-12T20:00:00Z

Updated: 2024-09-16T16:53:53.880Z

Reserved: 2011-12-14T00:00:00Z

Link: CVE-2012-0215

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2012-07-12T20:55:09.857

Modified: 2024-11-21T01:34:35.840

Link: CVE-2012-0215

cve-icon Redhat

No data.