All the vulnerabilites related to Odoo - Odoo Enterprise
cve-2018-15638
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-05 10:01
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63703 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.270Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63703"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Subash SN and Bharath Kumar (Appsecco)"
},
{
"lang": "en",
"value": "Dipanshu Agrawal"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:33",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63703"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2018-15638",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "13.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "13.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Subash SN and Bharath Kumar (Appsecco)"
},
{
"lang": "eng",
"value": "Dipanshu Agrawal"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63703",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63703"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2018-15638",
"datePublished": "2020-12-22T16:25:33",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-08-05T10:01:54.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-45071
Vulnerability from cvelistv5
Published
2023-04-25 18:29
Modified
2024-08-04 04:32
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via crafted uploaded file names.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-45071",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T20:57:21.835919Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T20:57:39.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:13.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107697"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Lauri Vakkala"
},
{
"lang": "eng",
"type": "finder",
"value": "An\u0131l Y\u00fcksel"
},
{
"lang": "eng",
"type": "finder",
"value": "Agustin Maio"
},
{
"lang": "eng",
"type": "finder",
"value": "Johannes Moritz"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via crafted uploaded file names."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107697"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-45071",
"datePublished": "2023-04-25T18:29:52.108Z",
"dateReserved": "2021-12-27T06:22:26.008Z",
"dateUpdated": "2024-08-04T04:32:13.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23203
Vulnerability from cvelistv5
Published
2023-04-25 18:35
Modified
2024-08-03 19:05
Severity ?
EPSS score ?
Summary
Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.598Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107695"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "14.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "14.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Tiffany Chang"
},
{
"lang": "eng",
"type": "finder",
"value": "iamsushi"
},
{
"lang": "eng",
"type": "finder",
"value": "Ranjit Pahan"
},
{
"lang": "eng",
"type": "finder",
"value": "Iago Ruiz"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107695"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-23203",
"datePublished": "2023-04-25T18:35:38.489Z",
"dateReserved": "2021-07-20T14:28:12.189Z",
"dateUpdated": "2024-08-03T19:05:55.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-15645
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-05 10:01
Severity ?
EPSS score ?
Summary
Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads, which may allow privilege escalation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63705 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63705"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nils Hamerlinck (Trobz)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads, which may allow privilege escalation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:34",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63705"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2018-15645",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nils Hamerlinck (Trobz)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads, which may allow privilege escalation."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63705",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63705"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2018-15645",
"datePublished": "2020-12-22T16:25:35",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-08-05T10:01:54.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11782
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users with access to contact management to modify user accounts, leading to privilege escalation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63707 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:03:32.794Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63707"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Damien LESCOS"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users with access to contact management to modify user accounts, leading to privilege escalation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:36",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63707"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2019-11782",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Damien LESCOS"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users with access to contact management to modify user accounts, leading to privilege escalation."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63707",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63707"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2019-11782",
"datePublished": "2020-12-22T16:25:36",
"dateReserved": "2019-05-06T00:00:00",
"dateUpdated": "2024-08-04T23:03:32.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11781
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Improper input validation in portal component in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier, allows remote attackers to trick victims into modifying their account via crafted links, leading to privilege escalation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63706 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:03:32.878Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63706"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "\"iamsushi\""
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper input validation in portal component in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier, allows remote attackers to trick victims into modifying their account via crafted links, leading to privilege escalation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:35",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63706"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2019-11781",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "\"iamsushi\""
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper input validation in portal component in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier, allows remote attackers to trick victims into modifying their account via crafted links, leading to privilege escalation."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63706",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63706"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2019-11781",
"datePublished": "2020-12-22T16:25:35",
"dateReserved": "2019-05-06T00:00:00",
"dateUpdated": "2024-08-04T23:03:32.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-15640
Vulnerability from cvelistv5
Published
2019-04-09 15:41
Modified
2024-09-16 22:02
Severity ?
EPSS score ?
Summary
Improper access control in the Helpdesk App of Odoo Enterprise 10.0 through 12.0 allows remote authenticated attackers to obtain elevated privileges via a crafted request.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/32514 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32514"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "10.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-04-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper access control in the Helpdesk App of Odoo Enterprise 10.0 through 12.0 allows remote authenticated attackers to obtain elevated privileges via a crafted request."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-09T15:41:20",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/32514"
}
],
"source": {
"advisory": "ODOO-SA-2018-11-28-1",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"DATE_PUBLIC": "2019-04-05T14:00:00.000Z",
"ID": "CVE-2018-15640",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.0"
},
{
"version_affected": "\u003e=",
"version_value": "10.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in the Helpdesk App of Odoo Enterprise 10.0 through 12.0 allows remote authenticated attackers to obtain elevated privileges via a crafted request."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/32514",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/32514"
}
]
},
"source": {
"advisory": "ODOO-SA-2018-11-28-1",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2018-15640",
"datePublished": "2019-04-09T15:41:20.453639Z",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-09-16T22:02:03.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-15632
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-05 10:01
Severity ?
EPSS score ?
Summary
Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they can connect with default credentials.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63700 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.286Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63700"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "11.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "11.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "P. Valov (SoCyber)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they can connect with default credentials."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:31",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63700"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2018-15632",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "11.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "11.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "P. Valov (SoCyber)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they can connect with default credentials."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63700",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63700"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2018-15632",
"datePublished": "2020-12-22T16:25:31",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-08-05T10:01:54.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11780
Vulnerability from cvelistv5
Published
2019-12-19 15:50
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Improper access control in the computed fields system of the framework of Odoo Community 13.0 and Odoo Enterprise 13.0 allows remote authenticated attackers to access sensitive information via crafted RPC requests, which could lead to privilege escalation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/42196 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:03:32.814Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/42196"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"status": "affected",
"version": "13.0"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"status": "affected",
"version": "13.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Swapnesh Shah"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in the computed fields system of the framework of Odoo Community 13.0 and Odoo Enterprise 13.0 allows remote authenticated attackers to access sensitive information via crafted RPC requests, which could lead to privilege escalation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-19T15:50:12",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/42196"
}
],
"source": {
"advisory": "ODOO-SA-2019-10-25-1",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2019-11780",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "13.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "13.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Swapnesh Shah"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in the computed fields system of the framework of Odoo Community 13.0 and Odoo Enterprise 13.0 allows remote authenticated attackers to access sensitive information via crafted RPC requests, which could lead to privilege escalation."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/42196",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/42196"
}
]
},
"source": {
"advisory": "ODOO-SA-2019-10-25-1",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2019-11780",
"datePublished": "2019-12-19T15:50:12",
"dateReserved": "2019-05-06T00:00:00",
"dateUpdated": "2024-08-04T23:03:32.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23176
Vulnerability from cvelistv5
Published
2023-04-25 18:32
Modified
2024-08-03 19:05
Severity ?
EPSS score ?
Summary
Improper access control in reporting engine of l10n_fr_fec module in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to extract accounting information via crafted RPC packets.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-23176",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T15:55:28.408420Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T15:55:44.921Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:54.464Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107682"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Florent Mirieu de Labarre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in reporting engine of l10n_fr_fec module in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to extract accounting information via crafted RPC packets."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107682"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-23176",
"datePublished": "2023-04-25T18:32:31.407Z",
"dateReserved": "2021-12-27T06:14:42.052Z",
"dateUpdated": "2024-08-03T19:05:54.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-44476
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-04 04:25
Severity ?
EPSS score ?
Summary
A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read local files on the server, including sensitive configuration files.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:25:16.573Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107684"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Toufik Ben Jaa"
}
],
"descriptions": [
{
"lang": "en",
"value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read local files on the server, including sensitive configuration files."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107684"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-44476",
"datePublished": "2023-04-25T18:33:32.237Z",
"dateReserved": "2021-12-27T06:14:42.065Z",
"dateUpdated": "2024-08-04T04:25:16.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-44461
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-04 04:25
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) issue in Accounting app of Odoo Enterprise 13.0 through 15.0, allows remote attackers who are able to control the contents of accounting journal entries to inject arbitrary web script in the browser of a victim.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-44461",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T14:56:19.460796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T14:56:28.883Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:25:16.399Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107686"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "13.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in Accounting app of Odoo Enterprise 13.0 through 15.0, allows remote attackers who are able to control the contents of accounting journal entries to inject arbitrary web script in the browser of a victim."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107686"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-44461",
"datePublished": "2023-04-25T18:33:34.490Z",
"dateReserved": "2021-12-27T06:17:50.969Z",
"dateUpdated": "2024-08-04T04:25:16.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-29396
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-04 16:55
Severity ?
EPSS score ?
Summary
A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63712 | x_refsource_MISC | |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:55:09.224Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63712"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "11.0",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "11.0",
"versionType": "custom"
}
]
},
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Toufik Ben Jaa"
},
{
"lang": "en",
"value": "St\u00e9phane Debauche"
},
{
"lang": "en",
"value": "Beno\u00eet FONTAINE"
}
],
"descriptions": [
{
"lang": "en",
"value": "A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "CWE-267: Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:17:33",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63712"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2020-29396",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "11.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "11.0"
}
]
}
},
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "13.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "13.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Toufik Ben Jaa"
},
{
"lang": "eng",
"value": "St\u00e9phane Debauche"
},
{
"lang": "eng",
"value": "Beno\u00eet FONTAINE"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-267: Privilege Defined With Unsafe Actions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63712",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63712"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2020-29396",
"datePublished": "2020-12-22T16:25:39",
"dateReserved": "2020-11-30T00:00:00",
"dateUpdated": "2024-08-04T16:55:09.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23166
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-03 19:05
Severity ?
EPSS score ?
Summary
A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107687"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Nils Hamerlinck"
}
],
"descriptions": [
{
"lang": "en",
"value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107687"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-23166",
"datePublished": "2023-04-25T18:33:35.417Z",
"dateReserved": "2021-12-27T06:17:50.974Z",
"dateUpdated": "2024-08-03T19:05:55.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11784
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in conversations they were not a party to.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63709 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:03:32.743Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63709"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in conversations they were not a party to."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:37",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63709"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2019-11784",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": ""
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in conversations they were not a party to."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63709",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63709"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2019-11784",
"datePublished": "2020-12-22T16:25:37",
"dateReserved": "2019-05-06T00:00:00",
"dateUpdated": "2024-08-04T23:03:32.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-44460
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-04 04:25
Severity ?
EPSS score ?
Summary
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows users with deactivated accounts to access the system with the deactivated account and any permission it still holds, via crafted RPC requests.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-44460",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T13:23:44.267561Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T20:32:56.009Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:25:16.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107685"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Xavier Morel"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows users with deactivated accounts to access the system with the deactivated account and any permission it still holds, via crafted RPC requests."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107685"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-44460",
"datePublished": "2023-04-25T18:33:33.360Z",
"dateReserved": "2021-12-27T06:17:50.956Z",
"dateUpdated": "2024-08-04T04:25:16.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-15635
Vulnerability from cvelistv5
Published
2019-04-09 15:41
Modified
2024-08-05 10:01
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote attackers to inject arbitrary web script in the browser of an internal user of the system by tricking them into inviting a follower on a document with a crafted name.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/32515 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.167Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32515"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote attackers to inject arbitrary web script in the browser of an internal user of the system by tricking them into inviting a follower on a document with a crafted name."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-09T15:41:20",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/32515"
}
],
"source": {
"advisory": "ODOO-SA-2018-11-28-2",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2018-15635",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote attackers to inject arbitrary web script in the browser of an internal user of the system by tricking them into inviting a follower on a document with a crafted name."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/32515",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/32515"
}
]
},
"source": {
"advisory": "ODOO-SA-2018-11-28-2",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2018-15635",
"datePublished": "2019-04-09T15:41:20",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-08-05T10:01:54.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23178
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-03 19:05
Severity ?
EPSS score ?
Summary
Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows attackers to validate online payments with a tokenized payment method that belongs to another user, causing the victim's payment method to be charged instead.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:odoo:odoo_community:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "odoo_community",
"vendor": "odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:odoo:odoo_enterprise:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "odoo_enterprise",
"vendor": "odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-23178",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T13:46:25.204237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T13:48:33.754Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:53.926Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107690"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Parth Gajjar"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows attackers to validate online payments with a tokenized payment method that belongs to another user, causing the victim\u0027s payment method to be charged instead."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107690"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-23178",
"datePublished": "2023-04-25T18:33:37.875Z",
"dateReserved": "2021-12-27T06:19:18.867Z",
"dateUpdated": "2024-08-03T19:05:53.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-45111
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-04 04:39
Severity ?
EPSS score ?
Summary
Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-45111",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T13:41:04.565422Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T13:41:21.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:39:20.253Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107683"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Nils Hamerlinck"
},
{
"lang": "eng",
"type": "finder",
"value": "Yenthe Van Ginneken"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107683"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-45111",
"datePublished": "2023-04-25T18:33:00.392Z",
"dateReserved": "2021-12-27T06:14:42.059Z",
"dateUpdated": "2024-08-04T04:39:20.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26947
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-03 20:33
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via a crafted link.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-26947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T15:39:58.913170Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T13:31:53.667Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:33:41.300Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107694"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Nils Hamerlinck"
},
{
"lang": "eng",
"type": "finder",
"value": "Andreas Perhab"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via a crafted link."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107694"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-26947",
"datePublished": "2023-04-25T18:33:41.553Z",
"dateReserved": "2021-12-27T06:22:25.995Z",
"dateUpdated": "2024-08-03T20:33:41.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11786
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to modify translated terms, which may lead to arbitrary content modification on translatable elements.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63711 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:03:32.888Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63711"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Martin Trigaux"
},
{
"lang": "en",
"value": "Alexandre Diaz"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to modify translated terms, which may lead to arbitrary content modification on translatable elements."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:38",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63711"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2019-11786",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "13.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "13.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Martin Trigaux"
},
{
"lang": "eng",
"value": "Alexandre Diaz"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to modify translated terms, which may lead to arbitrary content modification on translatable elements."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63711",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63711"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2019-11786",
"datePublished": "2020-12-22T16:25:38",
"dateReserved": "2019-05-06T00:00:00",
"dateUpdated": "2024-08-04T23:03:32.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23186
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-03 19:05
Severity ?
EPSS score ?
Summary
A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:odoo:odoo_community:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "odoo_community",
"vendor": "odoo",
"versions": [
{
"lessThan": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:odoo:odoo_enterprise:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "odoo_enterprise",
"vendor": "odoo",
"versions": [
{
"lessThan": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-23186",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T20:54:45.816025Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T20:57:01.095Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:53.896Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107688"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Nils Hamerlinck"
}
],
"descriptions": [
{
"lang": "en",
"value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107688"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-23186",
"datePublished": "2023-04-25T18:33:36.536Z",
"dateReserved": "2021-12-27T06:19:18.852Z",
"dateUpdated": "2024-08-03T19:05:53.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-44775
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-04 04:32
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) issue in Website app of Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-44775",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T13:57:10.321947Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T13:57:17.113Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:13.292Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107691"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Holger Brunn"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in Website app of Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107691"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-44775",
"datePublished": "2023-04-25T18:33:38.887Z",
"dateReserved": "2021-12-28T11:57:09.384Z",
"dateUpdated": "2024-08-04T04:32:13.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-15633
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-05 10:01
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) issue in "document" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63701 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.221Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63701"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "11.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "11.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nathanael ROTA (Capgemini)"
},
{
"lang": "en",
"value": "Lauri Vakkala (Silverskin)"
},
{
"lang": "en",
"value": "Tomas Canzoniero"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in \"document\" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:32",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63701"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2018-15633",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "11.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "11.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nathanael ROTA (Capgemini)"
},
{
"lang": "eng",
"value": "Lauri Vakkala (Silverskin)"
},
{
"lang": "eng",
"value": "Tomas Canzoniero"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) issue in \"document\" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63701",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63701"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2018-15633",
"datePublished": "2020-12-22T16:25:32",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-08-05T10:01:54.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-44465
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-04 04:25
Severity ?
EPSS score ?
Summary
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:25:16.836Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107692"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Swapnesh Shah"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107692"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-44465",
"datePublished": "2023-04-25T18:33:39.776Z",
"dateReserved": "2021-12-28T11:57:09.374Z",
"dateUpdated": "2024-08-04T04:25:16.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11785
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63710 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:03:32.751Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63710"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nils Hamerlinck (Trobz)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:38",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63710"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2019-11785",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "13.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "13.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nils Hamerlinck (Trobz)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63710",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63710"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2019-11785",
"datePublished": "2020-12-22T16:25:38",
"dateReserved": "2019-05-06T00:00:00",
"dateUpdated": "2024-08-04T23:03:32.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-15631
Vulnerability from cvelistv5
Published
2019-04-09 15:41
Modified
2024-08-05 10:01
Severity ?
EPSS score ?
Summary
Improper access control in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote authenticated attackers to e-mail themselves arbitrary files from the database, via a crafted RPC request.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.excellium-services.com/cert-xlm-advisory/cve-2018-15631/ | x_refsource_MISC | |
| https://github.com/odoo/odoo/issues/32516 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.359Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.excellium-services.com/cert-xlm-advisory/cve-2018-15631/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote authenticated attackers to e-mail themselves arbitrary files from the database, via a crafted RPC request."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-06T15:06:16",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.excellium-services.com/cert-xlm-advisory/cve-2018-15631/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/32516"
}
],
"source": {
"advisory": "ODOO-SA-2018-11-28-3",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2018-15631",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote authenticated attackers to e-mail themselves arbitrary files from the database, via a crafted RPC request."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.excellium-services.com/cert-xlm-advisory/cve-2018-15631/",
"refsource": "MISC",
"url": "https://www.excellium-services.com/cert-xlm-advisory/cve-2018-15631/"
},
{
"name": "https://github.com/odoo/odoo/issues/32516",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/32516"
}
]
},
"source": {
"advisory": "ODOO-SA-2018-11-28-3",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2018-15631",
"datePublished": "2019-04-09T15:41:20",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-08-05T10:01:54.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-15634
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-05 10:01
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63702 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.274Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63702"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nathanael ROTA (Capgemini)"
},
{
"lang": "en",
"value": "Alessandro Innocenti"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:33",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63702"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2018-15634",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nathanael ROTA (Capgemini)"
},
{
"lang": "eng",
"value": "Alessandro Innocenti"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63702",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63702"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2018-15634",
"datePublished": "2020-12-22T16:25:33",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-08-05T10:01:54.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-44547
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-04 04:25
Severity ?
EPSS score ?
Summary
A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0 allows authenticated administrators to executed arbitrary code, leading to privilege escalation.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-44547",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T16:25:59.608086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T16:26:11.050Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:25:16.862Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107696"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"status": "affected",
"version": "15.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"status": "affected",
"version": "15.0"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Stephane Debauche"
}
],
"descriptions": [
{
"lang": "en",
"value": "A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0 allows authenticated administrators to executed arbitrary code, leading to privilege escalation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107696"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-44547",
"datePublished": "2023-04-25T18:33:42.884Z",
"dateReserved": "2021-12-27T06:22:26.001Z",
"dateUpdated": "2024-08-04T04:25:16.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11783
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail channels uninvited.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63708 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:03:32.867Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63708"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nils Hamerlinck (Trobz)"
},
{
"lang": "en",
"value": "Christopher Riis Bubeck Eriksen"
},
{
"lang": "en",
"value": "Alexandre Diaz"
},
{
"lang": "en",
"value": "\"Raspina Net Pars Group\""
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail channels uninvited."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:36",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63708"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2019-11783",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nils Hamerlinck (Trobz)"
},
{
"lang": "eng",
"value": "Christopher Riis Bubeck Eriksen"
},
{
"lang": "eng",
"value": "Alexandre Diaz"
},
{
"lang": "eng",
"value": "\"Raspina Net Pars Group\""
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail channels uninvited."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63708",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63708"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2019-11783",
"datePublished": "2020-12-22T16:25:36",
"dateReserved": "2019-05-06T00:00:00",
"dateUpdated": "2024-08-04T23:03:32.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26263
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-03 20:19
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Odoo | Odoo Community | |
| Odoo | Odoo Enterprise |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:odoo:odoo_community:14.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "odoo_community",
"vendor": "odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "14.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:odoo:odoo_enterprise:14.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "odoo_enterprise",
"vendor": "odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "14.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-26263",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T14:49:47.368802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T14:56:17.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:20.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107693"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "14.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "14.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Theodoros Malachias"
},
{
"lang": "eng",
"type": "finder",
"value": "iamsushi"
},
{
"lang": "eng",
"type": "finder",
"value": "Ranjit Pahan"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107693"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-26263",
"datePublished": "2023-04-25T18:33:40.613Z",
"dateReserved": "2021-07-20T14:28:12.183Z",
"dateUpdated": "2024-08-03T20:19:20.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-15641
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-05 10:01
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63704 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.277Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63704"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "11.0",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "11.0",
"versionType": "custom"
}
]
},
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "msg systems ag"
},
{
"lang": "en",
"value": "Lauri Vakkala (Silverskin)"
},
{
"lang": "en",
"value": "Bharath Kumar (Appsecco)"
},
{
"lang": "en",
"value": "An\u0131l Y\u00fcksel"
},
{
"lang": "en",
"value": "Aitor Fuentes (kr0no)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:34",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63704"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2018-15641",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "11.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "11.0"
}
]
}
},
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "msg systems ag"
},
{
"lang": "eng",
"value": "Lauri Vakkala (Silverskin)"
},
{
"lang": "eng",
"value": "Bharath Kumar (Appsecco)"
},
{
"lang": "eng",
"value": "An\u0131l Y\u00fcksel"
},
{
"lang": "eng",
"value": "Aitor Fuentes (kr0no)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63704",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63704"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2018-15641",
"datePublished": "2020-12-22T16:25:34",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-08-05T10:01:54.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}