Vulnerability	Vulnerable Version
H Arbitrary Command Injection Affected versions of this package are vulnerable to Arbitrary Command Injection via the `safe_eval` function. It allows remote authenticated users to execute arbitrary commands via shell metacharacters in the `collection.domain` in the `webdav` module or the formula field in the `price_list` module. How to fix Arbitrary Command Injection? Upgrade `trytond` to version 2.4.15, 2.6.14, 2.8.11, 3.0.7, 3.2.3 or higher.	[,2.4.15)[2.6.0,2.6.14)[2.8.0,2.8.11)[3.0.0,3.0.7)[3.2.0,3.2.3)
M Directory Traversal `trytond` is a Tryton server. file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors.	[,3.2.17)[3.4,3.4.14)[3.6,3.6.12)[3.8,3.8.8)[4,4.0.4)
M Privilege Escalation `trytond` is a Tryton server model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call.	[,2.4.0)

Go back to all versions of this package