Bug#1121233: marked as done (tryton-sao: Stored XSS Vulnerability Found in Party Field Leading to Arbitrary JavaScript Execution)

Mon, 24 Nov 2025 03:37:19 -0800 

Your message dated Mon, 24 Nov 2025 11:34:41 +0000
with message-id <[email protected]>
and subject line Bug#1121233: fixed in tryton-sao 7.0.40+ds1-1
has caused the Debian Bug report #1121233,
regarding tryton-sao: Stored XSS Vulnerability Found in Party Field Leading to 
Arbitrary JavaScript Execution
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1121233: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121233
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: tryton-sao
Version: 7.0.38+ds1-1
Severity: important
Tags: security upstream
Forwarded: https://foss.heptapod.net/tryton/tryton/-/issues/14363
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi

Adding a tracking bug for 
https://discuss.tryton.org/t/security-release-for-issue-14363/8951
| Abdulfatah Abdillahi has found that sao does not escape the
| completion values. The content of completion is generally the record
| name which may be edited in many ways depending on the model. The
| content may include some JavaScript which is executed in the same
| context as sao which gives access to sensitive data such as the
| session.

https://foss.heptapod.net/tryton/tryton/-/issues/14363

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: tryton-sao
Source-Version: 7.0.40+ds1-1
Done: Mathias Behrle <[email protected]>

We believe that the bug you reported is fixed in the latest version of
tryton-sao, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mathias Behrle <[email protected]> (supplier of updated tryton-sao package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 24 Nov 2025 11:46:38 +0100
Source: tryton-sao
Architecture: source
Version: 7.0.40+ds1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Tryton Maintainers <[email protected]>
Changed-By: Mathias Behrle <[email protected]>
Closes: 1121233
Changes:
 tryton-sao (7.0.40+ds1-1) unstable; urgency=high
 .
   * Merging upstream version 7.0.40 (Closes: #1121233).
     Includes the fixes for security release for
     https://discuss.tryton.org/t/security-release-for-issue-14363/8951
Checksums-Sha1:
 48822b912a2abf73f07de7167decf532260c5b7c 2044 tryton-sao_7.0.40+ds1-1.dsc
 8d6751f86d8fe36012f6728f1ea57b258e27d9cd 1555756 
tryton-sao_7.0.40+ds1.orig.tar.xz
 4466df87c97948af529833a5441645f74d7a0e88 37592 
tryton-sao_7.0.40+ds1-1.debian.tar.xz
 4e9ee050fee894a1141f8b8fdb8754a10d02d760 8714 
tryton-sao_7.0.40+ds1-1_amd64.buildinfo
Checksums-Sha256:
 d071fd8d3d8f116227eda415643d064642d05d0046d641441c88655f71f05623 2044 
tryton-sao_7.0.40+ds1-1.dsc
 010b22c6021fe652fe8a48a87e84f577ab74b37253682f37463f09df47226c7b 1555756 
tryton-sao_7.0.40+ds1.orig.tar.xz
 834ff21be347d00fe690e14a47c30be9bd8dbc9483c3eab2a0eb53d9c1e9c914 37592 
tryton-sao_7.0.40+ds1-1.debian.tar.xz
 76d7da8e2567c8d84fb89358ddd275ccd942ad06689f785b14b4607180f0611f 8714 
tryton-sao_7.0.40+ds1-1_amd64.buildinfo
Files:
 76b11e344e8349877f884b1858b4920c 2044 web optional tryton-sao_7.0.40+ds1-1.dsc
 88e591ce2dd8631f1abf4a6e907b8632 1555756 web optional 
tryton-sao_7.0.40+ds1.orig.tar.xz
 e6b8933cc0c94c3a3563996a3f14ba05 37592 web optional 
tryton-sao_7.0.40+ds1-1.debian.tar.xz
 6563f73592009cc8d7db56ad99a2cd32 8714 web optional 
tryton-sao_7.0.40+ds1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----
Comment: Signed by Mathias Behrle

iQIzBAEBCgAdFiEErCl+XEa50LYccXaB1tCb5IQFu/YFAmkkPmkACgkQ1tCb5IQF
u/Z5lg//WyPJXw7EaJAwHCIHOKUwY0gL246dtJqc5WWmOHNANeu5Hu47IscQZUqA
zMssbyQry7kQtQmyPEnl300uo+KyA64h0a4u7mCbfZCB+BTd0pggx21XicKvmri9
eqy/5GOK2Oa88lNj/BJ0ZqOz6R4y0LxzuhYjlsYZv50AwF1rZ6xT/zsZ3P2nq5X3
UclUChufBsK/wDAczj9DlSN5a6pCbtt0IHC4q0XHVLwa+q1rmyyEc0K/yUjVEy06
PIU2Ioyd+5R2fg7xrml++IHQI5L4gz2JQvk/XaDBueKdusxZ7fc8yozZAKoBer7o
xV3TXqerz5leTGRZ55awtd9dz+jVumrcw3vEGm1zzv5UxLfRFZqGNdzwBZkiaLgL
8w/eC+SaUGMNKDo91otWV1h465fYzjkvfLU6gTUq6Jjw2yxqD+3per3v1ahcvYMO
g0z/qTRB/k+QT84hnY7oB6JREJgkh0NtC9vu0RvOqbW6JYeHm14tpf3LCz4nTtEn
vNKlrApSwmhTJC/OnXg2Z/E+0LVO9ogYb3LfMGwn+6+kP9joW1aoPun3r1bN99ga
XDJK5DA+ZhFDWtFabgj9U5Wa68dcCbtXVsxX5+KfZsFj6rDApE+UmaA9Hg0kV4lE
eKz8DYN8N+Jcs4nw8K/h8z1NeJ8Bp6K8oPv1Xv0KjpuoZOghv2g=
=YeuW
-----END PGP SIGNATURE-----

Attachment: pgpc0owe8uS2H.pgp
Description: PGP signature


--- End Message ---

Reply via email to