All the vulnerabilites related to odoo - odoo
Vulnerability from fkie_nvd
Published
2020-12-22 17:15
Modified
2024-11-21 03:51
Severity ?
Summary
Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads, which may allow privilege escalation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/63705 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/63705 | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "A958BCBB-C656-44A5-A9A9-66A66AEA67A0",
"versionEndIncluding": "12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "059733D6-977F-4731-BA24-36F6F50F76AB",
"versionEndIncluding": "12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads, which may allow privilege escalation."
},
{
"lang": "es",
"value": "Un control de acceso inapropiado en el enrutamiento de mensajes en Odoo Community versiones 12.0 y anteriores y Odoo Enterprise versiones 12.0 y anteriores, permite a usuarios autenticados remotos crear registros arbitrarios por medio de cargas \u00fatiles dise\u00f1adas, lo que puede permitir una escalada de privilegios"
}
],
"id": "CVE-2018-15645",
"lastModified": "2024-11-21T03:51:12.613",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T17:15:13.033",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63705"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63705"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-25 19:15
Modified
2024-11-21 06:31
Severity ?
Summary
A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read local files on the server, including sensitive configuration files.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/107684 | Issue Tracking, Patch, Vendor Advisory | |
| security@odoo.com | https://www.debian.org/security/2023/dsa-5399 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/107684 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2023/dsa-5399 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "C5B912BD-1FB4-418A-9CE3-FBE0903D70BA",
"versionEndIncluding": "15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "2BFAF5BD-20F9-402C-B7EB-4E0294A572AE",
"versionEndIncluding": "15.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read local files on the server, including sensitive configuration files."
}
],
"id": "CVE-2021-44476",
"lastModified": "2024-11-21T06:31:02.570",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T19:15:09.783",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107684"
},
{
"source": "security@odoo.com",
"url": "https://www.debian.org/security/2023/dsa-5399"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107684"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-267"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 17:15
Modified
2024-11-21 04:21
Severity ?
Summary
Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users with access to contact management to modify user accounts, leading to privilege escalation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/63707 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/63707 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "2DBCA075-326A-4F0F-89B9-1437744D0FFC",
"versionEndIncluding": "14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "70406DFC-3BE1-46D3-BDDA-47D2156733D9",
"versionEndIncluding": "14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users with access to contact management to modify user accounts, leading to privilege escalation."
},
{
"lang": "es",
"value": "Un control de acceso inapropiado en Odoo Community versiones 14.0 y anteriores y Odoo Enterprise versiones 14.0 y anteriores, permite a usuarios autenticados remotos con acceso a la administraci\u00f3n de contactos modificar unas cuentas de usuario, conllevando a una escalada de privilegios"
}
],
"id": "CVE-2019-11782",
"lastModified": "2024-11-21T04:21:46.990",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T17:15:13.190",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63707"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63707"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-07-03 19:15
Modified
2024-11-21 03:49
Severity ?
Summary
Incorrect access control in the mail templating system in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated internal users to delete arbitrary menuitems via a crafted RPC request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/odoo/odoo/issues/32504 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/32504 | Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C3F9E8F1-FAF7-44AE-8D05-BE717D247EDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "167C709E-C8B2-4CCB-963E-E1D8C664190A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C52F2EEB-11E5-49E8-AD06-3014FF2C2D24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4405E54-6C16-49D5-B632-3D72091B2FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:community:*:*:*",
"matchCriteriaId": "38424B03-4121-4A79-8E4E-4CB4DCD3E4A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1298CF62-A06E-48AD-8141-0541DE3F6381",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in the mail templating system in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated internal users to delete arbitrary menuitems via a crafted RPC request."
},
{
"lang": "es",
"value": "Un control de acceso incorrecto en el sistema de plantillas de correo en Odoo Community versi\u00f3n 11.0 y versiones anteriores y Odoo Enterprise versi\u00f3n 11.0 y versiones anteriores permite a los usuarios internos autenticados eliminar menuitems arbitrarios a trav\u00e9s de una solicitud RPC dise\u00f1ada."
}
],
"id": "CVE-2018-14862",
"lastModified": "2024-11-21T03:49:56.890",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-03T19:15:10.580",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32504"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32504"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-25 19:15
Modified
2024-11-21 05:51
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/107695 | Issue Tracking, Patch, Vendor Advisory | |
| security@odoo.com | https://www.debian.org/security/2023/dsa-5399 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/107695 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2023/dsa-5399 |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:14.0:*:*:*:community:*:*:*",
"matchCriteriaId": "4D952E47-04E1-4146-A3AA-3804A1AB52DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:14.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "BEB5354F-C1AC-48D6-8922-656F952442A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:15.0:*:*:*:community:*:*:*",
"matchCriteriaId": "EBD0BABD-16C5-449D-8BE7-9E948A509FA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:15.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "24A23452-4857-4F4B-AA5A-944F9073A554",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests."
}
],
"id": "CVE-2021-23203",
"lastModified": "2024-11-21T05:51:22.087",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security@odoo.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T19:15:09.403",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107695"
},
{
"source": "security@odoo.com",
"url": "https://www.debian.org/security/2023/dsa-5399"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107695"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 17:15
Modified
2024-11-21 04:21
Severity ?
Summary
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to modify translated terms, which may lead to arbitrary content modification on translatable elements.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/63711 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/63711 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "97EB1578-CFCC-4301-AEE7-DBBC6A92BC25",
"versionEndIncluding": "13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "3451E55A-C240-40BF-AA17-E11DC5A56002",
"versionEndIncluding": "13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to modify translated terms, which may lead to arbitrary content modification on translatable elements."
},
{
"lang": "es",
"value": "Un control de acceso inapropiado en Odoo Community versiones 13.0 y anteriores y Odoo Enterprise versiones 13.0 y anteriores, permite a usuarios autenticados remotos modificar unos t\u00e9rminos traducidos, lo que puede conllevar a modificaciones arbitrarias del contenido de unos elementos traducibles"
}
],
"id": "CVE-2019-11786",
"lastModified": "2024-11-21T04:21:47.483",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T17:15:13.457",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63711"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63711"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 17:15
Modified
2024-11-21 03:51
Severity ?
Summary
Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/63703 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/63703 | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "97EB1578-CFCC-4301-AEE7-DBBC6A92BC25",
"versionEndIncluding": "13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "3451E55A-C240-40BF-AA17-E11DC5A56002",
"versionEndIncluding": "13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names."
},
{
"lang": "es",
"value": "Un problema de tipo cross-site scripting (XSS) en el m\u00f3dulo mail en Odoo Community versiones 13.0 y anteriores y Odoo Enterprise versiones 13.0 y anteriores, permite a atacantes remotos inyectar un script web arbitrario en el navegador de una v\u00edctima por medio de nombres de canales dise\u00f1ados"
}
],
"id": "CVE-2018-15638",
"lastModified": "2024-11-21T03:51:12.177",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T17:15:12.847",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63703"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63703"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-07-03 19:15
Modified
2024-11-21 03:49
Severity ?
Summary
Improper data access control in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows authenticated users to perform a CSV export of the secure hashed passwords of other users.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/odoo/odoo/issues/32506 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/32506 | Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C52F2EEB-11E5-49E8-AD06-3014FF2C2D24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4405E54-6C16-49D5-B632-3D72091B2FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:community:*:*:*",
"matchCriteriaId": "38424B03-4121-4A79-8E4E-4CB4DCD3E4A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1298CF62-A06E-48AD-8141-0541DE3F6381",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper data access control in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows authenticated users to perform a CSV export of the secure hashed passwords of other users."
},
{
"lang": "es",
"value": "El control de acceso a los datos indebidos en Odoo Community versi\u00f3n 10.0 y versi\u00f3n 11.0 y Odoo Enterprise versi\u00f3n 10.0 y versi\u00f3n 11.0 permite a los usuarios autenticados realizar una exportaci\u00f3n CSV de las contrase\u00f1as seguras de hash de otros usuarios."
}
],
"id": "CVE-2018-14861",
"lastModified": "2024-11-21T03:49:56.727",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-03T19:15:10.503",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32506"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32506"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-22 20:29
Modified
2024-11-21 03:28
Severity ?
Summary
Odoo Version <= 8.0-20160726 and Version 9 is affected by: CWE-601: Open redirection. The impact is: obtain sensitive information (remote).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://sysdream.com/news/lab/2017-11-20-cve-2017-5871-odoo-url-redirection-to-distrusted-site-open-redirect/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.odoo.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://sysdream.com/news/lab/2017-11-20-cve-2017-5871-odoo-url-redirection-to-distrusted-site-open-redirect/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.odoo.com | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9D140CBF-E659-4E87-8FEE-F19CD2E6B947",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:8.0:20160726:*:*:*:*:*:*",
"matchCriteriaId": "D8D22138-711E-4A13-80C5-B52C66565BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "59408702-9C9E-4F25-85FB-D4F9AD4949BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A75A14CA-5B6C-4324-B5E5-BED6890D1426",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Odoo Version \u003c= 8.0-20160726 and Version 9 is affected by: CWE-601: Open redirection. The impact is: obtain sensitive information (remote)."
},
{
"lang": "es",
"value": "Odoo Versi\u00f3n \u003c= 8.0-20160726 y Versi\u00f3n 9, es afectada por: CWE-601: Redirecci\u00f3n abierta. El impacto es: obtener informaci\u00f3n confidencial (remota)."
}
],
"id": "CVE-2017-5871",
"lastModified": "2024-11-21T03:28:34.617",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-22T20:29:00.433",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://sysdream.com/news/lab/2017-11-20-cve-2017-5871-odoo-url-redirection-to-distrusted-site-open-redirect/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.odoo.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://sysdream.com/news/lab/2017-11-20-cve-2017-5871-odoo-url-redirection-to-distrusted-site-open-redirect/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.odoo.com"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-28 18:15
Modified
2024-11-21 03:49
Severity ?
Summary
Incorrect access control in the Password Encryption module in Odoo Community 9.0 and Odoo Enterprise 9.0 allows authenticated users to change the password of other users without knowing their current password via a crafted RPC call.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/odoo/odoo/commits/master | Third Party Advisory | |
| cve@mitre.org | https://github.com/odoo/odoo/issues/32507 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/commits/master | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/32507 | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C3F9E8F1-FAF7-44AE-8D05-BE717D247EDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "167C709E-C8B2-4CCB-963E-E1D8C664190A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in the Password Encryption module in Odoo Community 9.0 and Odoo Enterprise 9.0 allows authenticated users to change the password of other users without knowing their current password via a crafted RPC call."
},
{
"lang": "es",
"value": "Un control de acceso incorrecto en el m\u00f3dulo de cifrado de las contrase\u00f1as en Odoo Community versi\u00f3n 9.0 y Odoo Enterprise versi\u00f3n 9.0 permite a los atacantes autenticados cambiar la contrase\u00f1a de otros usuarios sin conocer su contrase\u00f1a actual mediante una llamada RPC manipulada."
}
],
"id": "CVE-2018-14868",
"lastModified": "2024-11-21T03:49:58.237",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-28T18:15:10.473",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32507"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32507"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-12-19 16:16
Modified
2024-11-21 04:21
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
Improper access control in the computed fields system of the framework of Odoo Community 13.0 and Odoo Enterprise 13.0 allows remote authenticated attackers to access sensitive information via crafted RPC requests, which could lead to privilege escalation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/42196 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/42196 | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:13.0:*:*:*:community:*:*:*",
"matchCriteriaId": "4CE8B4A3-0EA3-4813-A511-16FB7D2B06AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:13.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "FDDB70FB-2B58-42B4-96CB-D8C8C152A6A7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in the computed fields system of the framework of Odoo Community 13.0 and Odoo Enterprise 13.0 allows remote authenticated attackers to access sensitive information via crafted RPC requests, which could lead to privilege escalation."
},
{
"lang": "es",
"value": "Un control de acceso inapropiado en el sistema de campos computarizados del framework de Odoo Community versi\u00f3n 13.0 y Odoo Enterprise versi\u00f3n 13.0, permite a atacantes autenticados remotos acceder a informaci\u00f3n confidencial por medio de peticiones RPC dise\u00f1adas, lo que podr\u00eda conllevar a una escalada de privilegios."
}
],
"id": "CVE-2019-11780",
"lastModified": "2024-11-21T04:21:46.750",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security@odoo.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-19T16:16:42.370",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/42196"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/42196"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-04 18:29
Modified
2024-11-21 03:06
Severity ?
Summary
In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, remote attackers can bypass authentication under certain circumstances because parameters containing 0x00 characters are truncated before reaching the database layer. This occurs because Psycopg 2.x before 2.6.3 is used.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://initd.org/psycopg/docs/news.html#what-s-new-in-psycopg-2-6-3 | Release Notes | |
| cve@mitre.org | https://github.com/odoo/odoo/issues/17914 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/psycopg/psycopg2/issues/420 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://initd.org/psycopg/docs/news.html#what-s-new-in-psycopg-2-6-3 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/17914 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/psycopg/psycopg2/issues/420 | Exploit, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9D140CBF-E659-4E87-8FEE-F19CD2E6B947",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C3F9E8F1-FAF7-44AE-8D05-BE717D247EDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "167C709E-C8B2-4CCB-963E-E1D8C664190A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C52F2EEB-11E5-49E8-AD06-3014FF2C2D24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4405E54-6C16-49D5-B632-3D72091B2FEB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, remote attackers can bypass authentication under certain circumstances because parameters containing 0x00 characters are truncated before reaching the database layer. This occurs because Psycopg 2.x before 2.6.3 is used."
},
{
"lang": "es",
"value": "En Odoo versi\u00f3n 8.0, Odoo Community Edition versiones 9.0 y 10.0, y Odoo Community Edition versiones 9.0 y 10.0, los atacantes remotos pueden omitir la identificaci\u00f3n bajo ciertas circunstancias porque los par\u00e1metros que contienen caracteres 0x00 est\u00e1n truncados antes de alcanzar la capa de base de datos. Esto ocurre porque es usado Psycopg versi\u00f3n 2.x anterior a 2.6.3."
}
],
"id": "CVE-2017-10804",
"lastModified": "2024-11-21T03:06:32.423",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-04T18:29:00.227",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "http://initd.org/psycopg/docs/news.html#what-s-new-in-psycopg-2-6-3"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/17914"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/psycopg/psycopg2/issues/420"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "http://initd.org/psycopg/docs/news.html#what-s-new-in-psycopg-2-6-3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/17914"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/psycopg/psycopg2/issues/420"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-04-09 16:29
Modified
2024-11-21 03:51
Severity ?
Summary
Improper access control in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote authenticated attackers to e-mail themselves arbitrary files from the database, via a crafted RPC request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/32516 | Patch, Third Party Advisory | |
| security@odoo.com | https://www.excellium-services.com/cert-xlm-advisory/cve-2018-15631/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/32516 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.excellium-services.com/cert-xlm-advisory/cve-2018-15631/ | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "A958BCBB-C656-44A5-A9A9-66A66AEA67A0",
"versionEndIncluding": "12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "059733D6-977F-4731-BA24-36F6F50F76AB",
"versionEndIncluding": "12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote authenticated attackers to e-mail themselves arbitrary files from the database, via a crafted RPC request."
},
{
"lang": "es",
"value": "El control de acceso inadecuado en la aplicaci\u00f3n de discusi\u00f3n de Odoo Community 12.0 y anterior, y Odoo Enterprise 12.0 y anterior permite a los atacantes identificados remotos enviarse por correo electr\u00f3nico archivos arbitrarios de la base de datos, a trav\u00e9s de una petici\u00f3n RPC dise\u00f1ada."
}
],
"id": "CVE-2018-15631",
"lastModified": "2024-11-21T03:51:11.497",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-09T16:29:01.087",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32516"
},
{
"source": "security@odoo.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.excellium-services.com/cert-xlm-advisory/cve-2018-15631/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32516"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.excellium-services.com/cert-xlm-advisory/cve-2018-15631/"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-28 18:15
Modified
2024-11-21 03:50
Severity ?
Summary
The module-description renderer in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not disable RST's local file inclusion, which allows privileged authenticated users to read local files via a crafted module description.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/odoo/odoo/commits/master | Third Party Advisory | |
| cve@mitre.org | https://github.com/odoo/odoo/issues/32513 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/commits/master | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/32513 | Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C3F9E8F1-FAF7-44AE-8D05-BE717D247EDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "167C709E-C8B2-4CCB-963E-E1D8C664190A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C52F2EEB-11E5-49E8-AD06-3014FF2C2D24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4405E54-6C16-49D5-B632-3D72091B2FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:community:*:*:*",
"matchCriteriaId": "38424B03-4121-4A79-8E4E-4CB4DCD3E4A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1298CF62-A06E-48AD-8141-0541DE3F6381",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The module-description renderer in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not disable RST\u0027s local file inclusion, which allows privileged authenticated users to read local files via a crafted module description."
},
{
"lang": "es",
"value": "El procesador de descripci\u00f3n de m\u00f3dulos en Odoo Community versi\u00f3n 11.0 y versiones anteriores y Odoo Enterprise versi\u00f3n 11.0 y versiones anteriores no deshabilita la inclusi\u00f3n de archivos locales de RST, lo que permite a los usuarios autenticados privilegiados leer archivos locales a trav\u00e9s de una descripci\u00f3n de m\u00f3dulo manipulada."
}
],
"id": "CVE-2018-14886",
"lastModified": "2024-11-21T03:50:00.927",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-28T18:15:10.567",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32513"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32513"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-07-03 19:15
Modified
2024-11-21 03:49
Severity ?
Summary
Incorrect access control in asset bundles in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier allows remote authenticated users to inject arbitrary web script via a crafted attachment.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/odoo/odoo/issues/32502 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/32502 | Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:8.0:*:*:*:community:*:*:*",
"matchCriteriaId": "705E446A-98DC-43D6-905A-F52E3FDCAF48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:8.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "F8E37238-5C5A-41E4-8D46-48446E539277",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C3F9E8F1-FAF7-44AE-8D05-BE717D247EDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "167C709E-C8B2-4CCB-963E-E1D8C664190A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C52F2EEB-11E5-49E8-AD06-3014FF2C2D24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4405E54-6C16-49D5-B632-3D72091B2FEB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in asset bundles in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier allows remote authenticated users to inject arbitrary web script via a crafted attachment."
},
{
"lang": "es",
"value": "El control de acceso incorrecto en los paquetes de activos en Odoo Community 9.0 a 11.0 y anteriores y Odoo Enterprise 9.0 a 11.0 y anteriores permite a los usuarios identificados remotamente inyectar un script web arbitrario a trav\u00e9s de un adjunto dise\u00f1ado."
}
],
"id": "CVE-2018-14864",
"lastModified": "2024-11-21T03:49:57.220",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-03T19:15:10.707",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32502"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32502"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-04 21:29
Modified
2024-11-21 03:36
Severity ?
Summary
Directory traversal vulnerability in tools.file_open in Odoo 8.0, 9.0, and 10.0 allows remote authenticated users to read arbitrary local files readable by the Odoo service.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/odoo/odoo/issues/17394 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/17394 | Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9D140CBF-E659-4E87-8FEE-F19CD2E6B947",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "59408702-9C9E-4F25-85FB-D4F9AD4949BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A75A14CA-5B6C-4324-B5E5-BED6890D1426",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in tools.file_open in Odoo 8.0, 9.0, and 10.0 allows remote authenticated users to read arbitrary local files readable by the Odoo service."
},
{
"lang": "es",
"value": "Una vulnerabilidad de salto de directorio en tools.file_open en Odoo versiones 8.0, 9.0 y 10.0, permite a los usuarios autenticados remotos leer archivos locales arbitrarios legibles por el servicio de Odoo."
}
],
"id": "CVE-2017-9416",
"lastModified": "2024-11-21T03:36:04.360",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-04T21:29:00.420",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/17394"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/17394"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-25 19:15
Modified
2024-11-21 06:31
Severity ?
Summary
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows users with deactivated accounts to access the system with the deactivated account and any permission it still holds, via crafted RPC requests.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/107685 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/107685 | Issue Tracking, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "97EB1578-CFCC-4301-AEE7-DBBC6A92BC25",
"versionEndIncluding": "13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "3451E55A-C240-40BF-AA17-E11DC5A56002",
"versionEndIncluding": "13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows users with deactivated accounts to access the system with the deactivated account and any permission it still holds, via crafted RPC requests."
}
],
"id": "CVE-2021-44460",
"lastModified": "2024-11-21T06:31:01.170",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T19:15:09.600",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107685"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107685"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-04-09 16:29
Modified
2024-11-21 03:51
Severity ?
5.9 (Medium) - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site scripting vulnerability in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote attackers to inject arbitrary web script in the browser of an internal user of the system by tricking them into inviting a follower on a document with a crafted name.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/32515 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/32515 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "A958BCBB-C656-44A5-A9A9-66A66AEA67A0",
"versionEndIncluding": "12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "059733D6-977F-4731-BA24-36F6F50F76AB",
"versionEndIncluding": "12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote attackers to inject arbitrary web script in the browser of an internal user of the system by tricking them into inviting a follower on a document with a crafted name."
},
{
"lang": "es",
"value": "La vulnerabilidad de tipo Cross-site scripting en la aplicaci\u00f3n Discuss de Odoo Community versi\u00f3n 12.0 y anteriores, y Odoo Enterprise versi\u00f3n 12.0 y anteriores, permite a los atacantes remotos inyectar un script web arbitrario en el navegador de un usuario interno del sistema enga\u00f1\u00e1ndolos para que inviten a un seguidor de un documento con un nombre creado."
}
],
"id": "CVE-2018-15635",
"lastModified": "2024-11-21T03:51:12.030",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 4.2,
"source": "security@odoo.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-09T16:29:01.130",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32515"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32515"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-25 19:15
Modified
2024-11-21 06:31
Severity ?
Summary
Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/107683 | Issue Tracking, Patch, Vendor Advisory | |
| security@odoo.com | https://www.debian.org/security/2023/dsa-5399 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/107683 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2023/dsa-5399 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "C5B912BD-1FB4-418A-9CE3-FBE0903D70BA",
"versionEndIncluding": "15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "2BFAF5BD-20F9-402C-B7EB-4E0294A572AE",
"versionEndIncluding": "15.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials."
}
],
"id": "CVE-2021-45111",
"lastModified": "2024-11-21T06:31:59.163",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T19:15:10.020",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107683"
},
{
"source": "security@odoo.com",
"url": "https://www.debian.org/security/2023/dsa-5399"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107683"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-25 19:15
Modified
2024-11-21 06:31
Severity ?
Summary
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/107692 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/107692 | Issue Tracking, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "97EB1578-CFCC-4301-AEE7-DBBC6A92BC25",
"versionEndIncluding": "13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "3451E55A-C240-40BF-AA17-E11DC5A56002",
"versionEndIncluding": "13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests."
}
],
"id": "CVE-2021-44465",
"lastModified": "2024-11-21T06:31:01.897",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T19:15:09.727",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107692"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107692"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-25 19:15
Modified
2024-11-21 05:57
Severity ?
Summary
Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via a crafted link.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/107694 | Issue Tracking, Patch, Vendor Advisory | |
| security@odoo.com | https://www.debian.org/security/2023/dsa-5399 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/107694 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2023/dsa-5399 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "C5B912BD-1FB4-418A-9CE3-FBE0903D70BA",
"versionEndIncluding": "15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "2BFAF5BD-20F9-402C-B7EB-4E0294A572AE",
"versionEndIncluding": "15.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via a crafted link."
}
],
"id": "CVE-2021-26947",
"lastModified": "2024-11-21T05:57:06.037",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T19:15:09.530",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107694"
},
{
"source": "security@odoo.com",
"url": "https://www.debian.org/security/2023/dsa-5399"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107694"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-07-03 19:15
Modified
2024-11-21 03:49
Severity ?
Summary
Incorrect access control in the RPC framework in Odoo Community 8.0 through 11.0 and Odoo Enterprise 9.0 through 11.0 allows authenticated users to call private functions via RPC.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/odoo/odoo/issues/32508 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/32508 | Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C3F9E8F1-FAF7-44AE-8D05-BE717D247EDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "167C709E-C8B2-4CCB-963E-E1D8C664190A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C52F2EEB-11E5-49E8-AD06-3014FF2C2D24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4405E54-6C16-49D5-B632-3D72091B2FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:community:*:*:*",
"matchCriteriaId": "38424B03-4121-4A79-8E4E-4CB4DCD3E4A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1298CF62-A06E-48AD-8141-0541DE3F6381",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in the RPC framework in Odoo Community 8.0 through 11.0 and Odoo Enterprise 9.0 through 11.0 allows authenticated users to call private functions via RPC."
},
{
"lang": "es",
"value": "El control de acceso incorrecto en el marco de RPC en Odoo Community 8.0 a 11.0 y Odoo Enterprise 9.0 a 11.0 permite a los usuarios identificados llamar a funciones privadas a trav\u00e9s de RPC."
}
],
"id": "CVE-2018-14863",
"lastModified": "2024-11-21T03:49:57.053",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-03T19:15:10.643",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32508"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32508"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-25 19:15
Modified
2024-11-21 05:56
Severity ?
Summary
Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/107693 | Issue Tracking, Patch, Vendor Advisory | |
| security@odoo.com | https://www.debian.org/security/2023/dsa-5399 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/107693 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2023/dsa-5399 |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:14.0:*:*:*:community:*:*:*",
"matchCriteriaId": "4D952E47-04E1-4146-A3AA-3804A1AB52DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:14.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "BEB5354F-C1AC-48D6-8922-656F952442A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:15.0:*:*:*:community:*:*:*",
"matchCriteriaId": "EBD0BABD-16C5-449D-8BE7-9E948A509FA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:15.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "24A23452-4857-4F4B-AA5A-944F9073A554",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents."
}
],
"id": "CVE-2021-26263",
"lastModified": "2024-11-21T05:56:00.197",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T19:15:09.470",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107693"
},
{
"source": "security@odoo.com",
"url": "https://www.debian.org/security/2023/dsa-5399"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107693"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 17:15
Modified
2024-11-21 03:51
Severity ?
Summary
Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they can connect with default credentials.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/63700 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/63700 | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "D9126A1A-FA35-4127-91B3-A3FA8B26FABB",
"versionEndIncluding": "11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "9ACA123F-EF25-4E9D-8D60-4368B2F25FA0",
"versionEndIncluding": "11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they can connect with default credentials."
},
{
"lang": "es",
"value": "Una comprobaci\u00f3n de entrada inapropiada en la l\u00f3gica de creaci\u00f3n de la base de datos en Odoo Community versiones 11.0 y anteriores y Odoo Enterprise versiones 11.0 y anteriores, permite a atacantes remotos inicializar una base de datos vac\u00eda en la que pueden conectarse con las credenciales predeterminadas"
}
],
"id": "CVE-2018-15632",
"lastModified": "2024-11-21T03:51:11.627",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 7.8,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T17:15:12.487",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63700"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63700"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-07-03 18:15
Modified
2024-11-21 03:49
Severity ?
Summary
Incorrect access control in the TransientModel framework in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated attackers to access data in transient records that they do not own by making an RPC call before garbage collection occurs.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/odoo/odoo/issues/32509 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/32509 | Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C3F9E8F1-FAF7-44AE-8D05-BE717D247EDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "167C709E-C8B2-4CCB-963E-E1D8C664190A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C52F2EEB-11E5-49E8-AD06-3014FF2C2D24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4405E54-6C16-49D5-B632-3D72091B2FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:community:*:*:*",
"matchCriteriaId": "38424B03-4121-4A79-8E4E-4CB4DCD3E4A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1298CF62-A06E-48AD-8141-0541DE3F6381",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in the TransientModel framework in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated attackers to access data in transient records that they do not own by making an RPC call before garbage collection occurs."
},
{
"lang": "es",
"value": "El control de acceso incorrecto en el marco de TransientModel en Odoo Community 11.0 y versiones anteriores y Odoo Enterprise 11.0 y versiones anteriores permite que los atacantes identificados accedan a datos en registros transitorios que no poseen al realizar una llamada RPC antes de que se produzca la recolecci\u00f3n de basura."
}
],
"id": "CVE-2018-14866",
"lastModified": "2024-11-21T03:49:57.563",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-03T18:15:10.317",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32509"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32509"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-28 18:15
Modified
2024-11-21 03:50
Severity ?
Summary
Incorrect access control in the database manager component in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows a remote attacker to restore a database dump without knowing the super-admin password. An arbitrary password succeeds.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/odoo/odoo/commits/master | Third Party Advisory | |
| cve@mitre.org | https://github.com/odoo/odoo/issues/32512 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/commits/master | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/32512 | Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C52F2EEB-11E5-49E8-AD06-3014FF2C2D24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4405E54-6C16-49D5-B632-3D72091B2FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:community:*:*:*",
"matchCriteriaId": "38424B03-4121-4A79-8E4E-4CB4DCD3E4A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1298CF62-A06E-48AD-8141-0541DE3F6381",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in the database manager component in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows a remote attacker to restore a database dump without knowing the super-admin password. An arbitrary password succeeds."
},
{
"lang": "es",
"value": "Un control de acceso incorrecto en el componente Database Manager en Odoo Community versi\u00f3n 10.0 y versi\u00f3n 11.0 y Odoo Enterprise versi\u00f3n 10.0 y versi\u00f3n 11.0 permite que un atacante remoto recuperar una copia de la base de datos sin conocer la contrase\u00f1a de super-administrador. Tiene \u00e9xito un contrase\u00f1a arbitraria."
}
],
"id": "CVE-2018-14885",
"lastModified": "2024-11-21T03:50:00.760",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-28T18:15:10.520",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32512"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32512"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-04 18:29
Modified
2024-11-21 03:06
Severity ?
Summary
In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, incorrect access control on OAuth tokens in the OAuth module allows remote authenticated users to hijack OAuth sessions of other users.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/odoo/odoo/issues/17921 | Mitigation, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/17921 | Mitigation, Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9D140CBF-E659-4E87-8FEE-F19CD2E6B947",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C3F9E8F1-FAF7-44AE-8D05-BE717D247EDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "167C709E-C8B2-4CCB-963E-E1D8C664190A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C52F2EEB-11E5-49E8-AD06-3014FF2C2D24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4405E54-6C16-49D5-B632-3D72091B2FEB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, incorrect access control on OAuth tokens in the OAuth module allows remote authenticated users to hijack OAuth sessions of other users."
},
{
"lang": "es",
"value": "En Odoo versi\u00f3n 8.0, Odoo Community Edition versiones 9.0 y 10.0, y Odoo Enterprise Edition versiones 9.0 y 10.0, un control de acceso incorrecto en los tokens OAuth en el m\u00f3dulo OAuth permite a los usuarios identificados secuestrar las sesiones OAuth de otros usuarios."
}
],
"id": "CVE-2017-10805",
"lastModified": "2024-11-21T03:06:32.570",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-04T18:29:00.273",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/17921"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/17921"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-04 18:29
Modified
2024-11-21 03:06
Severity ?
Summary
In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/odoo/odoo/issues/17898 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/17898 | Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9D140CBF-E659-4E87-8FEE-F19CD2E6B947",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C3F9E8F1-FAF7-44AE-8D05-BE717D247EDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "167C709E-C8B2-4CCB-963E-E1D8C664190A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C52F2EEB-11E5-49E8-AD06-3014FF2C2D24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4405E54-6C16-49D5-B632-3D72091B2FEB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used."
},
{
"lang": "es",
"value": "En Odoo versi\u00f3n 8.0, Odoo Community Edition versiones 9.0 y 10.0, y Odoo Enterprise Edition versiones 9.0 y 10.0, el manejo no seguro de datos de anonimizaci\u00f3n en el m\u00f3dulo de Anonimizaci\u00f3n de Base de Datos permite que los usuarios privilegiados identificados remotos ejecuiten c\u00f3digo Python arbitrario, porque es utilizado unpickle."
}
],
"id": "CVE-2017-10803",
"lastModified": "2024-11-21T03:06:32.277",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 0.6,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-04T18:29:00.177",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/17898"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/17898"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-25 19:15
Modified
2024-11-21 06:31
Severity ?
Summary
Cross-site scripting (XSS) issue in Website app of Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/107691 | Issue Tracking, Patch, Vendor Advisory | |
| security@odoo.com | https://www.debian.org/security/2023/dsa-5399 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/107691 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2023/dsa-5399 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "C5B912BD-1FB4-418A-9CE3-FBE0903D70BA",
"versionEndIncluding": "15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "2BFAF5BD-20F9-402C-B7EB-4E0294A572AE",
"versionEndIncluding": "15.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in Website app of Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents."
}
],
"id": "CVE-2021-44775",
"lastModified": "2024-11-21T06:31:32.727",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T19:15:09.903",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107691"
},
{
"source": "security@odoo.com",
"url": "https://www.debian.org/security/2023/dsa-5399"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107691"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 17:15
Modified
2024-11-21 03:51
Severity ?
Summary
Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/63704 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/63704 | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "4ED3084D-DF4C-486F-A161-ADCC24FF61F4",
"versionEndIncluding": "14.0",
"versionStartIncluding": "11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "EBE9D00C-0BB2-4086-B6E3-C5AEC39070C1",
"versionEndIncluding": "14.0",
"versionStartIncluding": "11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes."
},
{
"lang": "es",
"value": "Un problema de tipo cross-site scripting (XSS) en el m\u00f3dulo web en Odoo Community versiones 11.0 hasta 14.0 y Odoo Enterprise versiones 11.0 hasta 14.0, permite a usuarios internos autenticados remotos inyectar un script web arbitrario en el navegador de una v\u00edctima por medio de atributos de eventos de calendario dise\u00f1ados"
}
],
"id": "CVE-2018-15641",
"lastModified": "2024-11-21T03:51:12.433",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 4.2,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T17:15:12.940",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63704"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63704"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 17:15
Modified
2024-11-21 04:21
Severity ?
Summary
Improper input validation in portal component in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier, allows remote attackers to trick victims into modifying their account via crafted links, leading to privilege escalation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/63706 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/63706 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "A958BCBB-C656-44A5-A9A9-66A66AEA67A0",
"versionEndIncluding": "12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "059733D6-977F-4731-BA24-36F6F50F76AB",
"versionEndIncluding": "12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper input validation in portal component in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier, allows remote attackers to trick victims into modifying their account via crafted links, leading to privilege escalation."
},
{
"lang": "es",
"value": "Una comprobaci\u00f3n de entrada inapropiada en el componente portal en Odoo Community versiones 12.0 y anteriores y Odoo Enterprise versiones 12.0 y anteriores, permite a atacantes remotos enga\u00f1ar a unas v\u00edctimas para que modifiquen su cuenta por medio de enlaces dise\u00f1ados, conllevando a una escalada de privilegios"
}
],
"id": "CVE-2019-11781",
"lastModified": "2024-11-21T04:21:46.870",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T17:15:13.127",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63706"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63706"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-04-09 16:29
Modified
2024-11-21 03:51
Severity ?
Summary
Improper access control in the Helpdesk App of Odoo Enterprise 10.0 through 12.0 allows remote authenticated attackers to obtain elevated privileges via a crafted request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/32514 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/32514 | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4C406AC-8BCE-431E-9E09-7A793E3C750F",
"versionEndIncluding": "12.0",
"versionStartIncluding": "10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in the Helpdesk App of Odoo Enterprise 10.0 through 12.0 allows remote authenticated attackers to obtain elevated privileges via a crafted request."
},
{
"lang": "es",
"value": "El control de acceso inapropiado en la aplicaci\u00f3n Helpdesk de Odoo Enterprise versi\u00f3n 10.0 hasta la 12.0, permite que los atacantes autenticados remotos puedan obtener privilegios elevados por medio de una petici\u00f3n creada."
}
],
"id": "CVE-2018-15640",
"lastModified": "2024-11-21T03:51:12.313",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-09T16:29:01.193",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32514"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32514"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-25 19:15
Modified
2024-11-21 06:31
Severity ?
Summary
Cross-site scripting (XSS) issue in Accounting app of Odoo Enterprise 13.0 through 15.0, allows remote attackers who are able to control the contents of accounting journal entries to inject arbitrary web script in the browser of a victim.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/107686 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/107686 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "D3FA7C86-7FC1-4310-9945-EE9265577C5D",
"versionEndIncluding": "15.0",
"versionStartIncluding": "13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in Accounting app of Odoo Enterprise 13.0 through 15.0, allows remote attackers who are able to control the contents of accounting journal entries to inject arbitrary web script in the browser of a victim."
}
],
"id": "CVE-2021-44461",
"lastModified": "2024-11-21T06:31:01.323",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T19:15:09.670",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107686"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107686"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-07-03 20:15
Modified
2024-11-21 03:49
Severity ?
Summary
Incorrect access control in the password reset component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated users to reset the password of other users by being the first party to use the secure token.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/odoo/odoo/issues/32510 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/32510 | Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C3F9E8F1-FAF7-44AE-8D05-BE717D247EDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "167C709E-C8B2-4CCB-963E-E1D8C664190A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C52F2EEB-11E5-49E8-AD06-3014FF2C2D24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4405E54-6C16-49D5-B632-3D72091B2FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:community:*:*:*",
"matchCriteriaId": "38424B03-4121-4A79-8E4E-4CB4DCD3E4A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1298CF62-A06E-48AD-8141-0541DE3F6381",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in the password reset component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated users to reset the password of other users by being the first party to use the secure token."
},
{
"lang": "es",
"value": "El control de acceso incorrecto en el componente de restablecimiento de contrase\u00f1a en Odoo Community versi\u00f3n 11.0 y versiones anteriores y Odoo Enterprise versi\u00f3n 11.0 y versiones anteriores permite a los usuarios autenticados restablecer la contrase\u00f1a de otros usuarios al ser la primera persona en utilizar el token seguro."
}
],
"id": "CVE-2018-14859",
"lastModified": "2024-11-21T03:49:56.440",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-03T20:15:10.777",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32510"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32510"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 17:15
Modified
2024-11-21 03:51
Severity ?
Summary
Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/63702 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/63702 | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "2DBCA075-326A-4F0F-89B9-1437744D0FFC",
"versionEndIncluding": "14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "70406DFC-3BE1-46D3-BDDA-47D2156733D9",
"versionEndIncluding": "14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link."
},
{
"lang": "es",
"value": "Un problema de tipo cross-site scripting (XSS) en la gesti\u00f3n de archivos adjuntos en Odoo Community versiones 14.0 y anteriores y Odoo Enterprise versiones 14.0 y anteriores, permite a atacantes remotos inyectar un script web arbitrario en el navegador de una v\u00edctima por medio de un enlace dise\u00f1ado"
}
],
"id": "CVE-2018-15634",
"lastModified": "2024-11-21T03:51:11.890",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T17:15:12.783",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63702"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63702"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-25 19:15
Modified
2024-11-21 06:31
Severity ?
Summary
Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via crafted uploaded file names.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/107697 | Issue Tracking, Patch, Vendor Advisory | |
| security@odoo.com | https://www.debian.org/security/2023/dsa-5399 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/107697 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2023/dsa-5399 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "C5B912BD-1FB4-418A-9CE3-FBE0903D70BA",
"versionEndIncluding": "15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "2BFAF5BD-20F9-402C-B7EB-4E0294A572AE",
"versionEndIncluding": "15.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via crafted uploaded file names."
}
],
"id": "CVE-2021-45071",
"lastModified": "2024-11-21T06:31:53.843",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T19:15:09.963",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107697"
},
{
"source": "security@odoo.com",
"url": "https://www.debian.org/security/2023/dsa-5399"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107697"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 17:15
Modified
2024-11-21 04:21
Severity ?
Summary
Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in conversations they were not a party to.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/63709 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/63709 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "2DBCA075-326A-4F0F-89B9-1437744D0FFC",
"versionEndIncluding": "14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "70406DFC-3BE1-46D3-BDDA-47D2156733D9",
"versionEndIncluding": "14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in conversations they were not a party to."
},
{
"lang": "es",
"value": "Un control de acceso inapropiado en el m\u00f3dulo mail (notifications) en Odoo Community versiones 14.0 y anteriores y Odoo Enterprise versiones 14.0 y anteriores, permite a usuarios autenticados remotos conseguir acceso a mensajes arbitrarios en conversaciones en las que no eran parte"
}
],
"id": "CVE-2019-11784",
"lastModified": "2024-11-21T04:21:47.253",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T17:15:13.330",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63709"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63709"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 17:15
Modified
2024-11-21 04:21
Severity ?
Summary
Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/63710 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/63710 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "97EB1578-CFCC-4301-AEE7-DBBC6A92BC25",
"versionEndIncluding": "13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "3451E55A-C240-40BF-AA17-E11DC5A56002",
"versionEndIncluding": "13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages."
},
{
"lang": "es",
"value": "Un control de acceso inapropiado en el m\u00f3dulo mail (followers) en Odoo Community versiones 13.0 y anteriores y Odoo Enterprise versiones 13.0 y anteriores, permite a usuarios autenticados remotos obtener acceso a unos mensajes publicados en registros de empresas a los que no se les dio acceso, y suscribirse para recibir futuros mensajes"
}
],
"id": "CVE-2019-11785",
"lastModified": "2024-11-21T04:21:47.370",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T17:15:13.393",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63710"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63710"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-25 19:15
Modified
2024-11-21 05:51
Severity ?
Summary
Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows attackers to validate online payments with a tokenized payment method that belongs to another user, causing the victim's payment method to be charged instead.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/107690 | Issue Tracking, Patch, Vendor Advisory | |
| security@odoo.com | https://www.debian.org/security/2023/dsa-5399 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/107690 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2023/dsa-5399 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "C5B912BD-1FB4-418A-9CE3-FBE0903D70BA",
"versionEndIncluding": "15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "2BFAF5BD-20F9-402C-B7EB-4E0294A572AE",
"versionEndIncluding": "15.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows attackers to validate online payments with a tokenized payment method that belongs to another user, causing the victim\u0027s payment method to be charged instead."
}
],
"id": "CVE-2021-23178",
"lastModified": "2024-11-21T05:51:20.110",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T19:15:09.283",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107690"
},
{
"source": "security@odoo.com",
"url": "https://www.debian.org/security/2023/dsa-5399"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107690"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-28 18:15
Modified
2024-11-21 03:50
Severity ?
Summary
Improper Host header sanitization in the dbfilter routing component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows a remote attacker to deny access to the service and to disclose database names via a crafted request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/odoo/odoo/commits/master | Third Party Advisory | |
| cve@mitre.org | https://github.com/odoo/odoo/issues/32511 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/commits/master | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/32511 | Issue Tracking, Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C3F9E8F1-FAF7-44AE-8D05-BE717D247EDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "167C709E-C8B2-4CCB-963E-E1D8C664190A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C52F2EEB-11E5-49E8-AD06-3014FF2C2D24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4405E54-6C16-49D5-B632-3D72091B2FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:community:*:*:*",
"matchCriteriaId": "38424B03-4121-4A79-8E4E-4CB4DCD3E4A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1298CF62-A06E-48AD-8141-0541DE3F6381",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Host header sanitization in the dbfilter routing component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows a remote attacker to deny access to the service and to disclose database names via a crafted request."
},
{
"lang": "es",
"value": "Un saneamiento inadecuado de la cabecera Host en el componente de enrutamiento dbfilter en Odoo Community versi\u00f3n 11.0 y versiones anteriores y Odoo Enterprise versi\u00f3n 11.0 y anteriores permite que los atacantes remotos denieguen el acceso al servicio y revelar los nombres de base de datos mediante una petici\u00f3n creada."
}
],
"id": "CVE-2018-14887",
"lastModified": "2024-11-21T03:50:01.093",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-28T18:15:10.613",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32511"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32511"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 17:15
Modified
2024-11-21 04:21
Severity ?
Summary
Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail channels uninvited.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/63708 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/63708 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "2DBCA075-326A-4F0F-89B9-1437744D0FFC",
"versionEndIncluding": "14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "70406DFC-3BE1-46D3-BDDA-47D2156733D9",
"versionEndIncluding": "14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail channels uninvited."
},
{
"lang": "es",
"value": "Un control de acceso inapropiado en el m\u00f3dulo mail (channel partners) en Odoo Community 14.0 y anteriores y Odoo Enterprise 14.0 y anteriores, permite que los usuarios autenticados remotos se suscriban a canales de correo arbitrarios no invitados"
}
],
"id": "CVE-2019-11783",
"lastModified": "2024-11-21T04:21:47.110",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T17:15:13.267",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63708"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63708"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-07-03 19:15
Modified
2024-11-21 03:49
Severity ?
Summary
Report engine in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier does not use secure options when passing documents to wkhtmltopdf, which allows remote attackers to read local files.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/odoo/odoo/issues/32501 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/32501 | Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C3F9E8F1-FAF7-44AE-8D05-BE717D247EDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "167C709E-C8B2-4CCB-963E-E1D8C664190A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C52F2EEB-11E5-49E8-AD06-3014FF2C2D24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4405E54-6C16-49D5-B632-3D72091B2FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:community:*:*:*",
"matchCriteriaId": "38424B03-4121-4A79-8E4E-4CB4DCD3E4A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1298CF62-A06E-48AD-8141-0541DE3F6381",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Report engine in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier does not use secure options when passing documents to wkhtmltopdf, which allows remote attackers to read local files."
},
{
"lang": "es",
"value": "El motor de informes en Odoo Community versi\u00f3n 9.0 hasta la versi\u00f3n 11.0 y versiones anteriores y Odoo Enterprise versi\u00f3n 9.0 hasta la versi\u00f3n 11.0 y versiones anteriores no usa opciones seguras al pasar documentos a wkhtmltopdf, lo que permite a los atacantes remotos leer archivos locales."
}
],
"id": "CVE-2018-14865",
"lastModified": "2024-11-21T03:49:57.387",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-03T19:15:10.767",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32501"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32501"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 17:15
Modified
2024-11-21 05:23
Severity ?
Summary
A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/63712 | Patch, Third Party Advisory | |
| security@odoo.com | https://www.oracle.com/security-alerts/cpujul2022.html | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/63712 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.oracle.com/security-alerts/cpujul2022.html | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "C1269963-1DD6-4B28-A33F-B8C2F69AEF4C",
"versionEndIncluding": "13.0",
"versionStartIncluding": "11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1483CFE3-394B-4AB7-9561-63935D090B8D",
"versionEndIncluding": "13.0",
"versionStartIncluding": "11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC3B293C-2E49-4EB8-8951-11BE3927C23D",
"versionStartIncluding": "3.6.0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation."
},
{
"lang": "es",
"value": "Un problema del sandboxing en Odoo Community versiones 11.0 hasta 13.0 y Odoo Enterprise versiones 11.0 hasta 13.0, cuando se ejecuta con Python versiones 3.6 o posteriores, permite a usuarios autenticados remotos ejecutar c\u00f3digo arbitrario, conllevando a una escalada de privilegios"
}
],
"id": "CVE-2020-29396",
"lastModified": "2024-11-21T05:23:59.430",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.0"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T17:15:13.550",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63712"
},
{
"source": "security@odoo.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63712"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-267"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-07-05 20:15
Modified
2024-11-21 03:49
Severity ?
Summary
The Odoo Community Association (OCA) dbfilter_from_header module makes Odoo 8.x, 9.x, 10.x, and 11.x vulnerable to ReDoS (regular expression denial of service) under certain circumstances.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:8.0:*:*:*:community:*:*:*",
"matchCriteriaId": "705E446A-98DC-43D6-905A-F52E3FDCAF48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:8.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "F8E37238-5C5A-41E4-8D46-48446E539277",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C3F9E8F1-FAF7-44AE-8D05-BE717D247EDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "167C709E-C8B2-4CCB-963E-E1D8C664190A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C52F2EEB-11E5-49E8-AD06-3014FF2C2D24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4405E54-6C16-49D5-B632-3D72091B2FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:community:*:*:*",
"matchCriteriaId": "38424B03-4121-4A79-8E4E-4CB4DCD3E4A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:11.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1298CF62-A06E-48AD-8141-0541DE3F6381",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Odoo Community Association (OCA) dbfilter_from_header module makes Odoo 8.x, 9.x, 10.x, and 11.x vulnerable to ReDoS (regular expression denial of service) under certain circumstances."
},
{
"lang": "es",
"value": "El m\u00f3dulo dbfilter_from_header de Odoo Community Association (OCA), hace que Odoo versiones 8.x, 9.x, 10.x y 11.x sea vulnerable a un problema de tipo ReDoS (denegaci\u00f3n de servicio de expresiones regulares) bajo ciertas circunstancias."
}
],
"id": "CVE-2018-14733",
"lastModified": "2024-11-21T03:49:41.863",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-05T20:15:13.907",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/OCA/server-tools/issues/1335"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/OCA/server-tools/tree/10.0/dbfilter_from_header"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/OCA/server-tools/tree/11.0/dbfilter_from_header"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/OCA/server-tools/tree/8.0/dbfilter_from_header"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/OCA/server-tools/tree/9.0/dbfilter_from_header"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/OCA/server-tools/issues/1335"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/OCA/server-tools/tree/10.0/dbfilter_from_header"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/OCA/server-tools/tree/11.0/dbfilter_from_header"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/OCA/server-tools/tree/8.0/dbfilter_from_header"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/OCA/server-tools/tree/9.0/dbfilter_from_header"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-25 19:15
Modified
2024-11-21 05:51
Severity ?
Summary
A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/107687 | Issue Tracking, Patch, Vendor Advisory | |
| security@odoo.com | https://www.debian.org/security/2023/dsa-5399 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/107687 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2023/dsa-5399 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "C5B912BD-1FB4-418A-9CE3-FBE0903D70BA",
"versionEndIncluding": "15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "2BFAF5BD-20F9-402C-B7EB-4E0294A572AE",
"versionEndIncluding": "15.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server."
}
],
"id": "CVE-2021-23166",
"lastModified": "2024-11-21T05:51:18.710",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 5.8,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 5.8,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T19:15:09.140",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107687"
},
{
"source": "security@odoo.com",
"url": "https://www.debian.org/security/2023/dsa-5399"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107687"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-267"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-25 19:15
Modified
2024-11-21 05:51
Severity ?
Summary
A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/107688 | Issue Tracking, Patch, Vendor Advisory | |
| security@odoo.com | https://www.debian.org/security/2023/dsa-5399 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/107688 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2023/dsa-5399 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "C5B912BD-1FB4-418A-9CE3-FBE0903D70BA",
"versionEndIncluding": "15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "2BFAF5BD-20F9-402C-B7EB-4E0294A572AE",
"versionEndIncluding": "15.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system."
}
],
"id": "CVE-2021-23186",
"lastModified": "2024-11-21T05:51:20.653",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 5.8,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 5.8,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T19:15:09.340",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107688"
},
{
"source": "security@odoo.com",
"url": "https://www.debian.org/security/2023/dsa-5399"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107688"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-267"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-28 18:15
Modified
2024-11-21 03:49
Severity ?
Summary
Incorrect access control in the portal messaging system in Odoo Community 9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers to post messages on behalf of customers, and to guess document attribute values, via crafted parameters.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/odoo/odoo/commits/master | Third Party Advisory | |
| cve@mitre.org | https://github.com/odoo/odoo/issues/32503 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/commits/master | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/32503 | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C3F9E8F1-FAF7-44AE-8D05-BE717D247EDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "167C709E-C8B2-4CCB-963E-E1D8C664190A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C52F2EEB-11E5-49E8-AD06-3014FF2C2D24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4405E54-6C16-49D5-B632-3D72091B2FEB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in the portal messaging system in Odoo Community 9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers to post messages on behalf of customers, and to guess document attribute values, via crafted parameters."
},
{
"lang": "es",
"value": "El control de acceso incorrecto en el sistema de mensajer\u00eda del portal en Odoo Community versiones 9.0 y 10.0 y Odoo Enterprise versiones 9.0 y 10.0 permite a los atacantes remotos publicar mensajes en nombre de los clientes y adivinar los valores de los atributos de los documentos, a trav\u00e9s de par\u00e1metros dise\u00f1ados."
}
],
"id": "CVE-2018-14867",
"lastModified": "2024-11-21T03:49:57.800",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-28T18:15:10.410",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32503"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32503"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-25 19:15
Modified
2024-11-21 05:51
Severity ?
Summary
Improper access control in reporting engine of l10n_fr_fec module in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to extract accounting information via crafted RPC packets.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/107682 | Issue Tracking, Mitigation, Patch, Vendor Advisory | |
| security@odoo.com | https://www.debian.org/security/2023/dsa-5399 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/107682 | Issue Tracking, Mitigation, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2023/dsa-5399 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "C5B912BD-1FB4-418A-9CE3-FBE0903D70BA",
"versionEndIncluding": "15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "2BFAF5BD-20F9-402C-B7EB-4E0294A572AE",
"versionEndIncluding": "15.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in reporting engine of l10n_fr_fec module in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to extract accounting information via crafted RPC packets."
}
],
"id": "CVE-2021-23176",
"lastModified": "2024-11-21T05:51:19.833",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T19:15:09.220",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Issue Tracking",
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107682"
},
{
"source": "security@odoo.com",
"url": "https://www.debian.org/security/2023/dsa-5399"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107682"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 17:15
Modified
2024-11-21 03:51
Severity ?
Summary
Cross-site scripting (XSS) issue in "document" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/63701 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/63701 | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "D9126A1A-FA35-4127-91B3-A3FA8B26FABB",
"versionEndIncluding": "11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "9ACA123F-EF25-4E9D-8D60-4368B2F25FA0",
"versionEndIncluding": "11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in \"document\" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames."
},
{
"lang": "es",
"value": "Un problema de tipo cross-site scripting (XSS) en el m\u00f3dulo \"document\" en Odoo Community versiones 11.0 y anteriores y Odoo Enterprise versiones 11.0 y anteriores, permite a atacantes remotos inyectar un script web arbitrario en el navegador de una v\u00edctima por medio de nombres de archivo adjuntos dise\u00f1ados"
}
],
"id": "CVE-2018-15633",
"lastModified": "2024-11-21T03:51:11.757",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T17:15:12.690",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63701"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/63701"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-25 19:15
Modified
2024-11-21 06:31
Severity ?
Summary
A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0 allows authenticated administrators to executed arbitrary code, leading to privilege escalation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@odoo.com | https://github.com/odoo/odoo/issues/107696 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/107696 | Issue Tracking, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "C5B912BD-1FB4-418A-9CE3-FBE0903D70BA",
"versionEndIncluding": "15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "2BFAF5BD-20F9-402C-B7EB-4E0294A572AE",
"versionEndIncluding": "15.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0 allows authenticated administrators to executed arbitrary code, leading to privilege escalation."
}
],
"id": "CVE-2021-44547",
"lastModified": "2024-11-21T06:31:12.333",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 5.8,
"source": "security@odoo.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T19:15:09.843",
"references": [
{
"source": "security@odoo.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107696"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/odoo/odoo/issues/107696"
}
],
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-267"
}
],
"source": "security@odoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-07-03 20:15
Modified
2024-11-21 03:49
Severity ?
Summary
Improper sanitization of dynamic user expressions in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated privileged users to escape from the dynamic expression sandbox and execute arbitrary code on the hosting system.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/odoo/odoo/issues/32505 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/odoo/odoo/issues/32505 | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*",
"matchCriteriaId": "D9126A1A-FA35-4127-91B3-A3FA8B26FABB",
"versionEndIncluding": "11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "9ACA123F-EF25-4E9D-8D60-4368B2F25FA0",
"versionEndIncluding": "11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper sanitization of dynamic user expressions in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated privileged users to escape from the dynamic expression sandbox and execute arbitrary code on the hosting system."
},
{
"lang": "es",
"value": "El saneamiento inadecuado de las expresiones de usuario din\u00e1micas en Odoo Community versi\u00f3n 11.0 y versiones anteriores y Odoo Enterprise versi\u00f3n 11.0 y versiones anteriores permite a los usuarios con privilegios autenticados un escape de sanbox de expresiones din\u00e1micas y ejecutar c\u00f3digo arbitrario en el sistema de alojamiento."
}
],
"id": "CVE-2018-14860",
"lastModified": "2024-11-21T03:49:56.583",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-03T20:15:10.837",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32505"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/odoo/odoo/issues/32505"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2018-14863
Vulnerability from cvelistv5
Published
2019-07-03 18:53
Modified
2024-08-05 09:38
Severity ?
EPSS score ?
Summary
Incorrect access control in the RPC framework in Odoo Community 8.0 through 11.0 and Odoo Enterprise 9.0 through 11.0 allows authenticated users to call private functions via RPC.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/32508 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:13.941Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32508"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in the RPC framework in Odoo Community 8.0 through 11.0 and Odoo Enterprise 9.0 through 11.0 allows authenticated users to call private functions via RPC."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-03T18:53:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/odoo/odoo/issues/32508"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14863",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incorrect access control in the RPC framework in Odoo Community 8.0 through 11.0 and Odoo Enterprise 9.0 through 11.0 allows authenticated users to call private functions via RPC."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/32508",
"refsource": "CONFIRM",
"url": "https://github.com/odoo/odoo/issues/32508"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-14863",
"datePublished": "2019-07-03T18:53:59",
"dateReserved": "2018-08-02T00:00:00",
"dateUpdated": "2024-08-05T09:38:13.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11784
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in conversations they were not a party to.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63709 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: unspecified < |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:03:32.743Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63709"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in conversations they were not a party to."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:37",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63709"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2019-11784",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": ""
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in conversations they were not a party to."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63709",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63709"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2019-11784",
"datePublished": "2020-12-22T16:25:37",
"dateReserved": "2019-05-06T00:00:00",
"dateUpdated": "2024-08-04T23:03:32.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-15641
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-05 10:01
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63704 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: 11.0 < unspecified |
||||||||||||
|
|||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.277Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63704"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "11.0",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "11.0",
"versionType": "custom"
}
]
},
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "msg systems ag"
},
{
"lang": "en",
"value": "Lauri Vakkala (Silverskin)"
},
{
"lang": "en",
"value": "Bharath Kumar (Appsecco)"
},
{
"lang": "en",
"value": "An\u0131l Y\u00fcksel"
},
{
"lang": "en",
"value": "Aitor Fuentes (kr0no)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:34",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63704"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2018-15641",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "11.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "11.0"
}
]
}
},
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "msg systems ag"
},
{
"lang": "eng",
"value": "Lauri Vakkala (Silverskin)"
},
{
"lang": "eng",
"value": "Bharath Kumar (Appsecco)"
},
{
"lang": "eng",
"value": "An\u0131l Y\u00fcksel"
},
{
"lang": "eng",
"value": "Aitor Fuentes (kr0no)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63704",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63704"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2018-15641",
"datePublished": "2020-12-22T16:25:34",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-08-05T10:01:54.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-14862
Vulnerability from cvelistv5
Published
2019-07-03 18:56
Modified
2024-08-05 09:38
Severity ?
EPSS score ?
Summary
Incorrect access control in the mail templating system in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated internal users to delete arbitrary menuitems via a crafted RPC request.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/32504 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:14.112Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32504"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in the mail templating system in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated internal users to delete arbitrary menuitems via a crafted RPC request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-03T18:56:25",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/odoo/odoo/issues/32504"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14862",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incorrect access control in the mail templating system in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated internal users to delete arbitrary menuitems via a crafted RPC request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/32504",
"refsource": "CONFIRM",
"url": "https://github.com/odoo/odoo/issues/32504"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-14862",
"datePublished": "2019-07-03T18:56:25",
"dateReserved": "2018-08-02T00:00:00",
"dateUpdated": "2024-08-05T09:38:14.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11782
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users with access to contact management to modify user accounts, leading to privilege escalation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63707 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: unspecified < |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:03:32.794Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63707"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Damien LESCOS"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users with access to contact management to modify user accounts, leading to privilege escalation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:36",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63707"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2019-11782",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Damien LESCOS"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users with access to contact management to modify user accounts, leading to privilege escalation."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63707",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63707"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2019-11782",
"datePublished": "2020-12-22T16:25:36",
"dateReserved": "2019-05-06T00:00:00",
"dateUpdated": "2024-08-04T23:03:32.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23203
Vulnerability from cvelistv5
Published
2023-04-25 18:35
Modified
2024-08-03 19:05
Severity ?
EPSS score ?
Summary
Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests.
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: 14.0 ≤ 15.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.598Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107695"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "14.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "14.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Tiffany Chang"
},
{
"lang": "eng",
"type": "finder",
"value": "iamsushi"
},
{
"lang": "eng",
"type": "finder",
"value": "Ranjit Pahan"
},
{
"lang": "eng",
"type": "finder",
"value": "Iago Ruiz"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107695"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-23203",
"datePublished": "2023-04-25T18:35:38.489Z",
"dateReserved": "2021-07-20T14:28:12.189Z",
"dateUpdated": "2024-08-03T19:05:55.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11786
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to modify translated terms, which may lead to arbitrary content modification on translatable elements.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63711 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: unspecified < |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:03:32.888Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63711"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Martin Trigaux"
},
{
"lang": "en",
"value": "Alexandre Diaz"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to modify translated terms, which may lead to arbitrary content modification on translatable elements."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:38",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63711"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2019-11786",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "13.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "13.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Martin Trigaux"
},
{
"lang": "eng",
"value": "Alexandre Diaz"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to modify translated terms, which may lead to arbitrary content modification on translatable elements."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63711",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63711"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2019-11786",
"datePublished": "2020-12-22T16:25:38",
"dateReserved": "2019-05-06T00:00:00",
"dateUpdated": "2024-08-04T23:03:32.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-15634
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-05 10:01
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63702 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: unspecified < |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.274Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63702"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nathanael ROTA (Capgemini)"
},
{
"lang": "en",
"value": "Alessandro Innocenti"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:33",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63702"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2018-15634",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nathanael ROTA (Capgemini)"
},
{
"lang": "eng",
"value": "Alessandro Innocenti"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63702",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63702"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2018-15634",
"datePublished": "2020-12-22T16:25:33",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-08-05T10:01:54.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-14867
Vulnerability from cvelistv5
Published
2019-06-28 17:37
Modified
2024-08-05 09:38
Severity ?
EPSS score ?
Summary
Incorrect access control in the portal messaging system in Odoo Community 9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers to post messages on behalf of customers, and to guess document attribute values, via crafted parameters.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/commits/master | x_refsource_MISC | |
| https://github.com/odoo/odoo/issues/32503 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:14.000Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32503"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in the portal messaging system in Odoo Community 9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers to post messages on behalf of customers, and to guess document attribute values, via crafted parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-28T17:37:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/odoo/odoo/issues/32503"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14867",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incorrect access control in the portal messaging system in Odoo Community 9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers to post messages on behalf of customers, and to guess document attribute values, via crafted parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/commits/master",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"name": "https://github.com/odoo/odoo/issues/32503",
"refsource": "CONFIRM",
"url": "https://github.com/odoo/odoo/issues/32503"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-14867",
"datePublished": "2019-06-28T17:37:45",
"dateReserved": "2018-08-02T00:00:00",
"dateUpdated": "2024-08-05T09:38:14.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-45071
Vulnerability from cvelistv5
Published
2023-04-25 18:29
Modified
2024-08-04 04:32
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via crafted uploaded file names.
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: 0 ≤ 15.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-45071",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T20:57:21.835919Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T20:57:39.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:13.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107697"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Lauri Vakkala"
},
{
"lang": "eng",
"type": "finder",
"value": "An\u0131l Y\u00fcksel"
},
{
"lang": "eng",
"type": "finder",
"value": "Agustin Maio"
},
{
"lang": "eng",
"type": "finder",
"value": "Johannes Moritz"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via crafted uploaded file names."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107697"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-45071",
"datePublished": "2023-04-25T18:29:52.108Z",
"dateReserved": "2021-12-27T06:22:26.008Z",
"dateUpdated": "2024-08-04T04:32:13.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-10804
Vulnerability from cvelistv5
Published
2017-07-04 18:00
Modified
2024-08-05 17:50
Severity ?
EPSS score ?
Summary
In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, remote attackers can bypass authentication under certain circumstances because parameters containing 0x00 characters are truncated before reaching the database layer. This occurs because Psycopg 2.x before 2.6.3 is used.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/17914 | x_refsource_CONFIRM | |
| http://initd.org/psycopg/docs/news.html#what-s-new-in-psycopg-2-6-3 | x_refsource_CONFIRM | |
| https://github.com/psycopg/psycopg2/issues/420 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:50:11.667Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/17914"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://initd.org/psycopg/docs/news.html#what-s-new-in-psycopg-2-6-3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/psycopg/psycopg2/issues/420"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, remote attackers can bypass authentication under certain circumstances because parameters containing 0x00 characters are truncated before reaching the database layer. This occurs because Psycopg 2.x before 2.6.3 is used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-04T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/odoo/odoo/issues/17914"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://initd.org/psycopg/docs/news.html#what-s-new-in-psycopg-2-6-3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/psycopg/psycopg2/issues/420"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-10804",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, remote attackers can bypass authentication under certain circumstances because parameters containing 0x00 characters are truncated before reaching the database layer. This occurs because Psycopg 2.x before 2.6.3 is used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/17914",
"refsource": "CONFIRM",
"url": "https://github.com/odoo/odoo/issues/17914"
},
{
"name": "http://initd.org/psycopg/docs/news.html#what-s-new-in-psycopg-2-6-3",
"refsource": "CONFIRM",
"url": "http://initd.org/psycopg/docs/news.html#what-s-new-in-psycopg-2-6-3"
},
{
"name": "https://github.com/psycopg/psycopg2/issues/420",
"refsource": "CONFIRM",
"url": "https://github.com/psycopg/psycopg2/issues/420"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-10804",
"datePublished": "2017-07-04T18:00:00",
"dateReserved": "2017-07-03T00:00:00",
"dateUpdated": "2024-08-05T17:50:11.667Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23186
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-03 19:05
Severity ?
EPSS score ?
Summary
A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system.
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: 0 ≤ 15.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:odoo:odoo_community:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "odoo_community",
"vendor": "odoo",
"versions": [
{
"lessThan": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:odoo:odoo_enterprise:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "odoo_enterprise",
"vendor": "odoo",
"versions": [
{
"lessThan": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-23186",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T20:54:45.816025Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T20:57:01.095Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:53.896Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107688"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Nils Hamerlinck"
}
],
"descriptions": [
{
"lang": "en",
"value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107688"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-23186",
"datePublished": "2023-04-25T18:33:36.536Z",
"dateReserved": "2021-12-27T06:19:18.852Z",
"dateUpdated": "2024-08-03T19:05:53.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-44460
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-04 04:25
Severity ?
EPSS score ?
Summary
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows users with deactivated accounts to access the system with the deactivated account and any permission it still holds, via crafted RPC requests.
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: 0 ≤ 13.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-44460",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T13:23:44.267561Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T20:32:56.009Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:25:16.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107685"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Xavier Morel"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows users with deactivated accounts to access the system with the deactivated account and any permission it still holds, via crafted RPC requests."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107685"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-44460",
"datePublished": "2023-04-25T18:33:33.360Z",
"dateReserved": "2021-12-27T06:17:50.956Z",
"dateUpdated": "2024-08-04T04:25:16.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-15645
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-05 10:01
Severity ?
EPSS score ?
Summary
Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads, which may allow privilege escalation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63705 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: unspecified < |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63705"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nils Hamerlinck (Trobz)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads, which may allow privilege escalation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:34",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63705"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2018-15645",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nils Hamerlinck (Trobz)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads, which may allow privilege escalation."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63705",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63705"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2018-15645",
"datePublished": "2020-12-22T16:25:35",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-08-05T10:01:54.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26947
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-03 20:33
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via a crafted link.
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: 0 ≤ 15.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-26947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T15:39:58.913170Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T13:31:53.667Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:33:41.300Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107694"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Nils Hamerlinck"
},
{
"lang": "eng",
"type": "finder",
"value": "Andreas Perhab"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via a crafted link."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107694"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-26947",
"datePublished": "2023-04-25T18:33:41.553Z",
"dateReserved": "2021-12-27T06:22:25.995Z",
"dateUpdated": "2024-08-03T20:33:41.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-15635
Vulnerability from cvelistv5
Published
2019-04-09 15:41
Modified
2024-08-05 10:01
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote attackers to inject arbitrary web script in the browser of an internal user of the system by tricking them into inviting a follower on a document with a crafted name.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/32515 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: unspecified < |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.167Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32515"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote attackers to inject arbitrary web script in the browser of an internal user of the system by tricking them into inviting a follower on a document with a crafted name."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-09T15:41:20",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/32515"
}
],
"source": {
"advisory": "ODOO-SA-2018-11-28-2",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2018-15635",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote attackers to inject arbitrary web script in the browser of an internal user of the system by tricking them into inviting a follower on a document with a crafted name."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/32515",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/32515"
}
]
},
"source": {
"advisory": "ODOO-SA-2018-11-28-2",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2018-15635",
"datePublished": "2019-04-09T15:41:20",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-08-05T10:01:54.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-15638
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-05 10:01
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63703 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: unspecified < |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.270Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63703"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Subash SN and Bharath Kumar (Appsecco)"
},
{
"lang": "en",
"value": "Dipanshu Agrawal"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:33",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63703"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2018-15638",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "13.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "13.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Subash SN and Bharath Kumar (Appsecco)"
},
{
"lang": "eng",
"value": "Dipanshu Agrawal"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63703",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63703"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2018-15638",
"datePublished": "2020-12-22T16:25:33",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-08-05T10:01:54.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-44461
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-04 04:25
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) issue in Accounting app of Odoo Enterprise 13.0 through 15.0, allows remote attackers who are able to control the contents of accounting journal entries to inject arbitrary web script in the browser of a victim.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Odoo | Odoo Enterprise |
Version: 13.0 ≤ 15.0 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-44461",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T14:56:19.460796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T14:56:28.883Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:25:16.399Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107686"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "13.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in Accounting app of Odoo Enterprise 13.0 through 15.0, allows remote attackers who are able to control the contents of accounting journal entries to inject arbitrary web script in the browser of a victim."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107686"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-44461",
"datePublished": "2023-04-25T18:33:34.490Z",
"dateReserved": "2021-12-27T06:17:50.969Z",
"dateUpdated": "2024-08-04T04:25:16.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23166
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-03 19:05
Severity ?
EPSS score ?
Summary
A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server.
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: 0 ≤ 15.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107687"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Nils Hamerlinck"
}
],
"descriptions": [
{
"lang": "en",
"value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107687"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-23166",
"datePublished": "2023-04-25T18:33:35.417Z",
"dateReserved": "2021-12-27T06:17:50.974Z",
"dateUpdated": "2024-08-03T19:05:55.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-10805
Vulnerability from cvelistv5
Published
2017-07-04 18:00
Modified
2024-08-05 17:50
Severity ?
EPSS score ?
Summary
In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, incorrect access control on OAuth tokens in the OAuth module allows remote authenticated users to hijack OAuth sessions of other users.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/17921 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:50:11.855Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/17921"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, incorrect access control on OAuth tokens in the OAuth module allows remote authenticated users to hijack OAuth sessions of other users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-04T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/odoo/odoo/issues/17921"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-10805",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, incorrect access control on OAuth tokens in the OAuth module allows remote authenticated users to hijack OAuth sessions of other users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/17921",
"refsource": "CONFIRM",
"url": "https://github.com/odoo/odoo/issues/17921"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-10805",
"datePublished": "2017-07-04T18:00:00",
"dateReserved": "2017-07-03T00:00:00",
"dateUpdated": "2024-08-05T17:50:11.855Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-14733
Vulnerability from cvelistv5
Published
2019-07-05 19:54
Modified
2024-08-05 09:38
Severity ?
EPSS score ?
Summary
The Odoo Community Association (OCA) dbfilter_from_header module makes Odoo 8.x, 9.x, 10.x, and 11.x vulnerable to ReDoS (regular expression denial of service) under certain circumstances.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OCA/server-tools/tree/8.0/dbfilter_from_header | x_refsource_MISC | |
| https://github.com/OCA/server-tools/tree/9.0/dbfilter_from_header | x_refsource_MISC | |
| https://github.com/OCA/server-tools/tree/10.0/dbfilter_from_header | x_refsource_MISC | |
| https://github.com/OCA/server-tools/tree/11.0/dbfilter_from_header | x_refsource_MISC | |
| https://github.com/OCA/server-tools/issues/1335 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:13.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OCA/server-tools/tree/8.0/dbfilter_from_header"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OCA/server-tools/tree/9.0/dbfilter_from_header"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OCA/server-tools/tree/10.0/dbfilter_from_header"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OCA/server-tools/tree/11.0/dbfilter_from_header"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OCA/server-tools/issues/1335"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Odoo Community Association (OCA) dbfilter_from_header module makes Odoo 8.x, 9.x, 10.x, and 11.x vulnerable to ReDoS (regular expression denial of service) under certain circumstances."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-05T19:54:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OCA/server-tools/tree/8.0/dbfilter_from_header"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OCA/server-tools/tree/9.0/dbfilter_from_header"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OCA/server-tools/tree/10.0/dbfilter_from_header"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OCA/server-tools/tree/11.0/dbfilter_from_header"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OCA/server-tools/issues/1335"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14733",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Odoo Community Association (OCA) dbfilter_from_header module makes Odoo 8.x, 9.x, 10.x, and 11.x vulnerable to ReDoS (regular expression denial of service) under certain circumstances."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/OCA/server-tools/tree/8.0/dbfilter_from_header",
"refsource": "MISC",
"url": "https://github.com/OCA/server-tools/tree/8.0/dbfilter_from_header"
},
{
"name": "https://github.com/OCA/server-tools/tree/9.0/dbfilter_from_header",
"refsource": "MISC",
"url": "https://github.com/OCA/server-tools/tree/9.0/dbfilter_from_header"
},
{
"name": "https://github.com/OCA/server-tools/tree/10.0/dbfilter_from_header",
"refsource": "MISC",
"url": "https://github.com/OCA/server-tools/tree/10.0/dbfilter_from_header"
},
{
"name": "https://github.com/OCA/server-tools/tree/11.0/dbfilter_from_header",
"refsource": "MISC",
"url": "https://github.com/OCA/server-tools/tree/11.0/dbfilter_from_header"
},
{
"name": "https://github.com/OCA/server-tools/issues/1335",
"refsource": "CONFIRM",
"url": "https://github.com/OCA/server-tools/issues/1335"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-14733",
"datePublished": "2019-07-05T19:54:55",
"dateReserved": "2018-07-29T00:00:00",
"dateUpdated": "2024-08-05T09:38:13.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23178
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-03 19:05
Severity ?
EPSS score ?
Summary
Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows attackers to validate online payments with a tokenized payment method that belongs to another user, causing the victim's payment method to be charged instead.
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: 0 ≤ 15.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:odoo:odoo_community:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "odoo_community",
"vendor": "odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:odoo:odoo_enterprise:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "odoo_enterprise",
"vendor": "odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-23178",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T13:46:25.204237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T13:48:33.754Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:53.926Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107690"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Parth Gajjar"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows attackers to validate online payments with a tokenized payment method that belongs to another user, causing the victim\u0027s payment method to be charged instead."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107690"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-23178",
"datePublished": "2023-04-25T18:33:37.875Z",
"dateReserved": "2021-12-27T06:19:18.867Z",
"dateUpdated": "2024-08-03T19:05:53.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-14864
Vulnerability from cvelistv5
Published
2019-07-03 18:51
Modified
2024-08-05 09:38
Severity ?
EPSS score ?
Summary
Incorrect access control in asset bundles in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier allows remote authenticated users to inject arbitrary web script via a crafted attachment.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/32502 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:13.968Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32502"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in asset bundles in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier allows remote authenticated users to inject arbitrary web script via a crafted attachment."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-03T18:51:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/odoo/odoo/issues/32502"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14864",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incorrect access control in asset bundles in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier allows remote authenticated users to inject arbitrary web script via a crafted attachment."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/32502",
"refsource": "CONFIRM",
"url": "https://github.com/odoo/odoo/issues/32502"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-14864",
"datePublished": "2019-07-03T18:51:29",
"dateReserved": "2018-08-02T00:00:00",
"dateUpdated": "2024-08-05T09:38:13.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-14861
Vulnerability from cvelistv5
Published
2019-07-03 19:00
Modified
2024-08-05 09:38
Severity ?
EPSS score ?
Summary
Improper data access control in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows authenticated users to perform a CSV export of the secure hashed passwords of other users.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/32506 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:14.084Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32506"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper data access control in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows authenticated users to perform a CSV export of the secure hashed passwords of other users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-03T19:00:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/odoo/odoo/issues/32506"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14861",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper data access control in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows authenticated users to perform a CSV export of the secure hashed passwords of other users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/32506",
"refsource": "CONFIRM",
"url": "https://github.com/odoo/odoo/issues/32506"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-14861",
"datePublished": "2019-07-03T19:00:04",
"dateReserved": "2018-08-02T00:00:00",
"dateUpdated": "2024-08-05T09:38:14.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11781
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Improper input validation in portal component in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier, allows remote attackers to trick victims into modifying their account via crafted links, leading to privilege escalation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63706 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: unspecified < |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:03:32.878Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63706"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "\"iamsushi\""
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper input validation in portal component in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier, allows remote attackers to trick victims into modifying their account via crafted links, leading to privilege escalation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:35",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63706"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2019-11781",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "\"iamsushi\""
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper input validation in portal component in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier, allows remote attackers to trick victims into modifying their account via crafted links, leading to privilege escalation."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63706",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63706"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2019-11781",
"datePublished": "2020-12-22T16:25:35",
"dateReserved": "2019-05-06T00:00:00",
"dateUpdated": "2024-08-04T23:03:32.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-15633
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-05 10:01
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) issue in "document" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63701 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: unspecified < |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.221Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63701"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "11.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "11.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nathanael ROTA (Capgemini)"
},
{
"lang": "en",
"value": "Lauri Vakkala (Silverskin)"
},
{
"lang": "en",
"value": "Tomas Canzoniero"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in \"document\" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:32",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63701"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2018-15633",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "11.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "11.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nathanael ROTA (Capgemini)"
},
{
"lang": "eng",
"value": "Lauri Vakkala (Silverskin)"
},
{
"lang": "eng",
"value": "Tomas Canzoniero"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) issue in \"document\" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63701",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63701"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2018-15633",
"datePublished": "2020-12-22T16:25:32",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-08-05T10:01:54.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-44547
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-04 04:25
Severity ?
EPSS score ?
Summary
A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0 allows authenticated administrators to executed arbitrary code, leading to privilege escalation.
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: 15.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-44547",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T16:25:59.608086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T16:26:11.050Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:25:16.862Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107696"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"status": "affected",
"version": "15.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"status": "affected",
"version": "15.0"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Stephane Debauche"
}
],
"descriptions": [
{
"lang": "en",
"value": "A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0 allows authenticated administrators to executed arbitrary code, leading to privilege escalation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107696"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-44547",
"datePublished": "2023-04-25T18:33:42.884Z",
"dateReserved": "2021-12-27T06:22:26.001Z",
"dateUpdated": "2024-08-04T04:25:16.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-44465
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-04 04:25
Severity ?
EPSS score ?
Summary
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests.
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: 0 ≤ 13.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:25:16.836Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107692"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Swapnesh Shah"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107692"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-44465",
"datePublished": "2023-04-25T18:33:39.776Z",
"dateReserved": "2021-12-28T11:57:09.374Z",
"dateUpdated": "2024-08-04T04:25:16.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-14865
Vulnerability from cvelistv5
Published
2019-07-03 18:40
Modified
2024-08-05 09:38
Severity ?
EPSS score ?
Summary
Report engine in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier does not use secure options when passing documents to wkhtmltopdf, which allows remote attackers to read local files.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/32501 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:13.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32501"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Report engine in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier does not use secure options when passing documents to wkhtmltopdf, which allows remote attackers to read local files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-03T18:40:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/odoo/odoo/issues/32501"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14865",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Report engine in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier does not use secure options when passing documents to wkhtmltopdf, which allows remote attackers to read local files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/32501",
"refsource": "CONFIRM",
"url": "https://github.com/odoo/odoo/issues/32501"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-14865",
"datePublished": "2019-07-03T18:40:31",
"dateReserved": "2018-08-02T00:00:00",
"dateUpdated": "2024-08-05T09:38:13.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11780
Vulnerability from cvelistv5
Published
2019-12-19 15:50
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Improper access control in the computed fields system of the framework of Odoo Community 13.0 and Odoo Enterprise 13.0 allows remote authenticated attackers to access sensitive information via crafted RPC requests, which could lead to privilege escalation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/42196 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: 13.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:03:32.814Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/42196"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"status": "affected",
"version": "13.0"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"status": "affected",
"version": "13.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Swapnesh Shah"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in the computed fields system of the framework of Odoo Community 13.0 and Odoo Enterprise 13.0 allows remote authenticated attackers to access sensitive information via crafted RPC requests, which could lead to privilege escalation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-19T15:50:12",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/42196"
}
],
"source": {
"advisory": "ODOO-SA-2019-10-25-1",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2019-11780",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "13.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "13.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Swapnesh Shah"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in the computed fields system of the framework of Odoo Community 13.0 and Odoo Enterprise 13.0 allows remote authenticated attackers to access sensitive information via crafted RPC requests, which could lead to privilege escalation."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/42196",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/42196"
}
]
},
"source": {
"advisory": "ODOO-SA-2019-10-25-1",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2019-11780",
"datePublished": "2019-12-19T15:50:12",
"dateReserved": "2019-05-06T00:00:00",
"dateUpdated": "2024-08-04T23:03:32.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-5871
Vulnerability from cvelistv5
Published
2019-05-22 19:33
Modified
2024-08-05 15:11
Severity ?
EPSS score ?
Summary
Odoo Version <= 8.0-20160726 and Version 9 is affected by: CWE-601: Open redirection. The impact is: obtain sensitive information (remote).
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.odoo.com | x_refsource_MISC | |
| https://sysdream.com/news/lab/2017-11-20-cve-2017-5871-odoo-url-redirection-to-distrusted-site-open-redirect/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:11:48.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.odoo.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sysdream.com/news/lab/2017-11-20-cve-2017-5871-odoo-url-redirection-to-distrusted-site-open-redirect/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Odoo Version \u003c= 8.0-20160726 and Version 9 is affected by: CWE-601: Open redirection. The impact is: obtain sensitive information (remote)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-22T19:33:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.odoo.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sysdream.com/news/lab/2017-11-20-cve-2017-5871-odoo-url-redirection-to-distrusted-site-open-redirect/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5871",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Odoo Version \u003c= 8.0-20160726 and Version 9 is affected by: CWE-601: Open redirection. The impact is: obtain sensitive information (remote)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.odoo.com",
"refsource": "MISC",
"url": "https://www.odoo.com"
},
{
"name": "https://sysdream.com/news/lab/2017-11-20-cve-2017-5871-odoo-url-redirection-to-distrusted-site-open-redirect/",
"refsource": "MISC",
"url": "https://sysdream.com/news/lab/2017-11-20-cve-2017-5871-odoo-url-redirection-to-distrusted-site-open-redirect/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-5871",
"datePublished": "2019-05-22T19:33:41",
"dateReserved": "2017-02-02T00:00:00",
"dateUpdated": "2024-08-05T15:11:48.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-14859
Vulnerability from cvelistv5
Published
2019-07-03 19:02
Modified
2024-08-05 09:38
Severity ?
EPSS score ?
Summary
Incorrect access control in the password reset component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated users to reset the password of other users by being the first party to use the secure token.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/32510 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:13.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32510"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in the password reset component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated users to reset the password of other users by being the first party to use the secure token."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-03T19:02:51",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/odoo/odoo/issues/32510"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14859",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incorrect access control in the password reset component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated users to reset the password of other users by being the first party to use the secure token."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/32510",
"refsource": "CONFIRM",
"url": "https://github.com/odoo/odoo/issues/32510"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-14859",
"datePublished": "2019-07-03T19:02:51",
"dateReserved": "2018-08-02T00:00:00",
"dateUpdated": "2024-08-05T09:38:13.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-15640
Vulnerability from cvelistv5
Published
2019-04-09 15:41
Modified
2024-09-16 22:02
Severity ?
EPSS score ?
Summary
Improper access control in the Helpdesk App of Odoo Enterprise 10.0 through 12.0 allows remote authenticated attackers to obtain elevated privileges via a crafted request.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/32514 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Odoo | Odoo Enterprise |
Version: unspecified < Version: 10.0 < unspecified |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32514"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "10.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-04-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper access control in the Helpdesk App of Odoo Enterprise 10.0 through 12.0 allows remote authenticated attackers to obtain elevated privileges via a crafted request."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-09T15:41:20",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/32514"
}
],
"source": {
"advisory": "ODOO-SA-2018-11-28-1",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"DATE_PUBLIC": "2019-04-05T14:00:00.000Z",
"ID": "CVE-2018-15640",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.0"
},
{
"version_affected": "\u003e=",
"version_value": "10.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in the Helpdesk App of Odoo Enterprise 10.0 through 12.0 allows remote authenticated attackers to obtain elevated privileges via a crafted request."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/32514",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/32514"
}
]
},
"source": {
"advisory": "ODOO-SA-2018-11-28-1",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2018-15640",
"datePublished": "2019-04-09T15:41:20.453639Z",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-09-16T22:02:03.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-14886
Vulnerability from cvelistv5
Published
2019-06-28 17:27
Modified
2024-08-05 09:46
Severity ?
EPSS score ?
Summary
The module-description renderer in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not disable RST's local file inclusion, which allows privileged authenticated users to read local files via a crafted module description.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/commits/master | x_refsource_MISC | |
| https://github.com/odoo/odoo/issues/32513 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:46:23.771Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32513"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The module-description renderer in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not disable RST\u0027s local file inclusion, which allows privileged authenticated users to read local files via a crafted module description."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-28T17:27:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/odoo/odoo/issues/32513"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14886",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The module-description renderer in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not disable RST\u0027s local file inclusion, which allows privileged authenticated users to read local files via a crafted module description."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/commits/master",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"name": "https://github.com/odoo/odoo/issues/32513",
"refsource": "CONFIRM",
"url": "https://github.com/odoo/odoo/issues/32513"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-14886",
"datePublished": "2019-06-28T17:27:55",
"dateReserved": "2018-08-03T00:00:00",
"dateUpdated": "2024-08-05T09:46:23.771Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26263
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-03 20:19
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents.
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: 14.0 ≤ 15.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:odoo:odoo_community:14.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "odoo_community",
"vendor": "odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "14.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:odoo:odoo_enterprise:14.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "odoo_enterprise",
"vendor": "odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "14.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-26263",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T14:49:47.368802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T14:56:17.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:20.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107693"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "14.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "14.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Theodoros Malachias"
},
{
"lang": "eng",
"type": "finder",
"value": "iamsushi"
},
{
"lang": "eng",
"type": "finder",
"value": "Ranjit Pahan"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107693"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-26263",
"datePublished": "2023-04-25T18:33:40.613Z",
"dateReserved": "2021-07-20T14:28:12.183Z",
"dateUpdated": "2024-08-03T20:19:20.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-14887
Vulnerability from cvelistv5
Published
2019-06-28 17:26
Modified
2024-08-05 09:46
Severity ?
EPSS score ?
Summary
Improper Host header sanitization in the dbfilter routing component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows a remote attacker to deny access to the service and to disclose database names via a crafted request.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/commits/master | x_refsource_MISC | |
| https://github.com/odoo/odoo/issues/32511 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:46:23.768Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32511"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Host header sanitization in the dbfilter routing component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows a remote attacker to deny access to the service and to disclose database names via a crafted request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-28T17:26:42",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/odoo/odoo/issues/32511"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14887",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Host header sanitization in the dbfilter routing component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows a remote attacker to deny access to the service and to disclose database names via a crafted request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/commits/master",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"name": "https://github.com/odoo/odoo/issues/32511",
"refsource": "CONFIRM",
"url": "https://github.com/odoo/odoo/issues/32511"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-14887",
"datePublished": "2019-06-28T17:26:42",
"dateReserved": "2018-08-03T00:00:00",
"dateUpdated": "2024-08-05T09:46:23.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-29396
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-04 16:55
Severity ?
EPSS score ?
Summary
A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63712 | x_refsource_MISC | |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: 11.0 < unspecified |
||||||||||||
|
|||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:55:09.224Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63712"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "11.0",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "11.0",
"versionType": "custom"
}
]
},
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Toufik Ben Jaa"
},
{
"lang": "en",
"value": "St\u00e9phane Debauche"
},
{
"lang": "en",
"value": "Beno\u00eet FONTAINE"
}
],
"descriptions": [
{
"lang": "en",
"value": "A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "CWE-267: Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:17:33",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63712"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2020-29396",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "11.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "11.0"
}
]
}
},
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "13.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "13.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Toufik Ben Jaa"
},
{
"lang": "eng",
"value": "St\u00e9phane Debauche"
},
{
"lang": "eng",
"value": "Beno\u00eet FONTAINE"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-267: Privilege Defined With Unsafe Actions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63712",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63712"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2020-29396",
"datePublished": "2020-12-22T16:25:39",
"dateReserved": "2020-11-30T00:00:00",
"dateUpdated": "2024-08-04T16:55:09.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-10803
Vulnerability from cvelistv5
Published
2017-07-04 18:00
Modified
2024-08-05 17:50
Severity ?
EPSS score ?
Summary
In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/17898 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:50:11.800Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/17898"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-04T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/odoo/odoo/issues/17898"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-10803",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/17898",
"refsource": "CONFIRM",
"url": "https://github.com/odoo/odoo/issues/17898"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-10803",
"datePublished": "2017-07-04T18:00:00",
"dateReserved": "2017-07-03T00:00:00",
"dateUpdated": "2024-08-05T17:50:11.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23176
Vulnerability from cvelistv5
Published
2023-04-25 18:32
Modified
2024-08-03 19:05
Severity ?
EPSS score ?
Summary
Improper access control in reporting engine of l10n_fr_fec module in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to extract accounting information via crafted RPC packets.
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: 0 ≤ 15.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-23176",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T15:55:28.408420Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T15:55:44.921Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:54.464Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107682"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Florent Mirieu de Labarre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in reporting engine of l10n_fr_fec module in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to extract accounting information via crafted RPC packets."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107682"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-23176",
"datePublished": "2023-04-25T18:32:31.407Z",
"dateReserved": "2021-12-27T06:14:42.052Z",
"dateUpdated": "2024-08-03T19:05:54.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-14885
Vulnerability from cvelistv5
Published
2019-06-28 17:35
Modified
2024-08-05 09:46
Severity ?
EPSS score ?
Summary
Incorrect access control in the database manager component in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows a remote attacker to restore a database dump without knowing the super-admin password. An arbitrary password succeeds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/commits/master | x_refsource_MISC | |
| https://github.com/odoo/odoo/issues/32512 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:46:23.891Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32512"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in the database manager component in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows a remote attacker to restore a database dump without knowing the super-admin password. An arbitrary password succeeds."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-28T17:35:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/odoo/odoo/issues/32512"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14885",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incorrect access control in the database manager component in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows a remote attacker to restore a database dump without knowing the super-admin password. An arbitrary password succeeds."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/commits/master",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"name": "https://github.com/odoo/odoo/issues/32512",
"refsource": "CONFIRM",
"url": "https://github.com/odoo/odoo/issues/32512"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-14885",
"datePublished": "2019-06-28T17:35:21",
"dateReserved": "2018-08-03T00:00:00",
"dateUpdated": "2024-08-05T09:46:23.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-14868
Vulnerability from cvelistv5
Published
2019-06-28 17:36
Modified
2024-08-05 09:38
Severity ?
EPSS score ?
Summary
Incorrect access control in the Password Encryption module in Odoo Community 9.0 and Odoo Enterprise 9.0 allows authenticated users to change the password of other users without knowing their current password via a crafted RPC call.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/commits/master | x_refsource_MISC | |
| https://github.com/odoo/odoo/issues/32507 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:13.998Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32507"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in the Password Encryption module in Odoo Community 9.0 and Odoo Enterprise 9.0 allows authenticated users to change the password of other users without knowing their current password via a crafted RPC call."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-28T17:36:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/odoo/odoo/issues/32507"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14868",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incorrect access control in the Password Encryption module in Odoo Community 9.0 and Odoo Enterprise 9.0 allows authenticated users to change the password of other users without knowing their current password via a crafted RPC call."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/commits/master",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/commits/master"
},
{
"name": "https://github.com/odoo/odoo/issues/32507",
"refsource": "CONFIRM",
"url": "https://github.com/odoo/odoo/issues/32507"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-14868",
"datePublished": "2019-06-28T17:36:34",
"dateReserved": "2018-08-02T00:00:00",
"dateUpdated": "2024-08-05T09:38:13.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-45111
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-04 04:39
Severity ?
EPSS score ?
Summary
Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials.
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: 0 ≤ 15.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-45111",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T13:41:04.565422Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T13:41:21.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:39:20.253Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107683"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Nils Hamerlinck"
},
{
"lang": "eng",
"type": "finder",
"value": "Yenthe Van Ginneken"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107683"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-45111",
"datePublished": "2023-04-25T18:33:00.392Z",
"dateReserved": "2021-12-27T06:14:42.059Z",
"dateUpdated": "2024-08-04T04:39:20.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-14866
Vulnerability from cvelistv5
Published
2019-07-03 17:42
Modified
2024-08-05 09:38
Severity ?
EPSS score ?
Summary
Incorrect access control in the TransientModel framework in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated attackers to access data in transient records that they do not own by making an RPC call before garbage collection occurs.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/32509 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:14.077Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32509"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in the TransientModel framework in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated attackers to access data in transient records that they do not own by making an RPC call before garbage collection occurs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-03T17:42:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/odoo/odoo/issues/32509"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14866",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incorrect access control in the TransientModel framework in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated attackers to access data in transient records that they do not own by making an RPC call before garbage collection occurs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/32509",
"refsource": "CONFIRM",
"url": "https://github.com/odoo/odoo/issues/32509"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-14866",
"datePublished": "2019-07-03T17:42:07",
"dateReserved": "2018-08-02T00:00:00",
"dateUpdated": "2024-08-05T09:38:14.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-15632
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-05 10:01
Severity ?
EPSS score ?
Summary
Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they can connect with default credentials.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63700 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: unspecified < |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.286Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63700"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "11.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "11.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "P. Valov (SoCyber)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they can connect with default credentials."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:31",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63700"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2018-15632",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "11.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "11.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "P. Valov (SoCyber)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they can connect with default credentials."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63700",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63700"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2018-15632",
"datePublished": "2020-12-22T16:25:31",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-08-05T10:01:54.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-44476
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-04 04:25
Severity ?
EPSS score ?
Summary
A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read local files on the server, including sensitive configuration files.
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: 0 ≤ 15.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:25:16.573Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107684"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Toufik Ben Jaa"
}
],
"descriptions": [
{
"lang": "en",
"value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read local files on the server, including sensitive configuration files."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107684"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-44476",
"datePublished": "2023-04-25T18:33:32.237Z",
"dateReserved": "2021-12-27T06:14:42.065Z",
"dateUpdated": "2024-08-04T04:25:16.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-44775
Vulnerability from cvelistv5
Published
2023-04-25 18:33
Modified
2024-08-04 04:32
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) issue in Website app of Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents.
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: 0 ≤ 15.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-44775",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T13:57:10.321947Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T13:57:17.113Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:13.292Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/107691"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "eng",
"type": "finder",
"value": "Holger Brunn"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) issue in Website app of Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"url": "https://github.com/odoo/odoo/issues/107691"
},
{
"url": "https://www.debian.org/security/2023/dsa-5399"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2021-44775",
"datePublished": "2023-04-25T18:33:38.887Z",
"dateReserved": "2021-12-28T11:57:09.384Z",
"dateUpdated": "2024-08-04T04:32:13.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11783
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail channels uninvited.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63708 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: unspecified < |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:03:32.867Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63708"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nils Hamerlinck (Trobz)"
},
{
"lang": "en",
"value": "Christopher Riis Bubeck Eriksen"
},
{
"lang": "en",
"value": "Alexandre Diaz"
},
{
"lang": "en",
"value": "\"Raspina Net Pars Group\""
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail channels uninvited."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:36",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63708"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2019-11783",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "14.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nils Hamerlinck (Trobz)"
},
{
"lang": "eng",
"value": "Christopher Riis Bubeck Eriksen"
},
{
"lang": "eng",
"value": "Alexandre Diaz"
},
{
"lang": "eng",
"value": "\"Raspina Net Pars Group\""
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail channels uninvited."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63708",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63708"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2019-11783",
"datePublished": "2020-12-22T16:25:36",
"dateReserved": "2019-05-06T00:00:00",
"dateUpdated": "2024-08-04T23:03:32.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11785
Vulnerability from cvelistv5
Published
2020-12-22 16:25
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/63710 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: unspecified < |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:03:32.751Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63710"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nils Hamerlinck (Trobz)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:38",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63710"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2019-11785",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "13.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "13.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nils Hamerlinck (Trobz)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63710",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63710"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2019-11785",
"datePublished": "2020-12-22T16:25:38",
"dateReserved": "2019-05-06T00:00:00",
"dateUpdated": "2024-08-04T23:03:32.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-14860
Vulnerability from cvelistv5
Published
2019-07-03 19:01
Modified
2024-08-05 09:38
Severity ?
EPSS score ?
Summary
Improper sanitization of dynamic user expressions in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated privileged users to escape from the dynamic expression sandbox and execute arbitrary code on the hosting system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/32505 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:13.948Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32505"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper sanitization of dynamic user expressions in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated privileged users to escape from the dynamic expression sandbox and execute arbitrary code on the hosting system."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-03T19:01:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/odoo/odoo/issues/32505"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14860",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper sanitization of dynamic user expressions in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated privileged users to escape from the dynamic expression sandbox and execute arbitrary code on the hosting system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/32505",
"refsource": "CONFIRM",
"url": "https://github.com/odoo/odoo/issues/32505"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-14860",
"datePublished": "2019-07-03T19:01:53",
"dateReserved": "2018-08-02T00:00:00",
"dateUpdated": "2024-08-05T09:38:13.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-15631
Vulnerability from cvelistv5
Published
2019-04-09 15:41
Modified
2024-08-05 10:01
Severity ?
EPSS score ?
Summary
Improper access control in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote authenticated attackers to e-mail themselves arbitrary files from the database, via a crafted RPC request.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.excellium-services.com/cert-xlm-advisory/cve-2018-15631/ | x_refsource_MISC | |
| https://github.com/odoo/odoo/issues/32516 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Odoo | Odoo Community |
Version: unspecified < |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.359Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.excellium-services.com/cert-xlm-advisory/cve-2018-15631/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/32516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote authenticated attackers to e-mail themselves arbitrary files from the database, via a crafted RPC request."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-06T15:06:16",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.excellium-services.com/cert-xlm-advisory/cve-2018-15631/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/32516"
}
],
"source": {
"advisory": "ODOO-SA-2018-11-28-3",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2018-15631",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote authenticated attackers to e-mail themselves arbitrary files from the database, via a crafted RPC request."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.excellium-services.com/cert-xlm-advisory/cve-2018-15631/",
"refsource": "MISC",
"url": "https://www.excellium-services.com/cert-xlm-advisory/cve-2018-15631/"
},
{
"name": "https://github.com/odoo/odoo/issues/32516",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/32516"
}
]
},
"source": {
"advisory": "ODOO-SA-2018-11-28-3",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2018-15631",
"datePublished": "2019-04-09T15:41:20",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-08-05T10:01:54.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-9416
Vulnerability from cvelistv5
Published
2017-06-03 23:00
Modified
2024-08-05 17:02
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in tools.file_open in Odoo 8.0, 9.0, and 10.0 allows remote authenticated users to read arbitrary local files readable by the Odoo service.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/odoo/odoo/issues/17394 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:02:44.433Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/17394"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-06-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in tools.file_open in Odoo 8.0, 9.0, and 10.0 allows remote authenticated users to read arbitrary local files readable by the Odoo service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-03T23:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/odoo/odoo/issues/17394"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-9416",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in tools.file_open in Odoo 8.0, 9.0, and 10.0 allows remote authenticated users to read arbitrary local files readable by the Odoo service."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/17394",
"refsource": "CONFIRM",
"url": "https://github.com/odoo/odoo/issues/17394"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-9416",
"datePublished": "2017-06-03T23:00:00",
"dateReserved": "2017-06-03T00:00:00",
"dateUpdated": "2024-08-05T17:02:44.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}