cnvd - cnvd-2020-73762

CNVD-2020-73762

Vulnerability from cnvd - Published: 2020-12-24

Title

Odoo跨站脚本漏洞（CNVD-2020-73762）

Description

Odoo是一款开源企业管理套件,其功能涵盖了CRM、销售、采购、库存管理、生产制造、质量管理、HR全功能、财务管理、项目管理、PLM等一系列完善的企业信息化需求。 Odoo 11.0及更早版本的“文档”模块存在跨站脚本漏洞。远程攻击者可通过特制附件文件名利用该漏洞将任意Web脚本注入受害者的浏览器中。

Severity

中

Patch Name

Odoo跨站脚本漏洞（CNVD-2020-73762）的补丁

Patch Description

Odoo是一款开源企业管理套件,其功能涵盖了CRM、销售、采购、库存管理、生产制造、质量管理、HR全功能、财务管理、项目管理、PLM等一系列完善的企业信息化需求。 Odoo 11.0及更早版本的“文档”模块存在跨站脚本漏洞。远程攻击者可通过特制附件文件名利用该漏洞将任意Web脚本注入受害者的浏览器中。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.odoo.com/zh_CN/page/download

Reference

https://nvd.nist.gov/vuln/detail/CVE-2018-15633

Impacted products

Name
Odoo Odoo <=11.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-15633",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2018-15633"
    }
  },
  "description": "Odoo\u662f\u4e00\u6b3e\u5f00\u6e90\u4f01\u4e1a\u7ba1\u7406\u5957\u4ef6,\u5176\u529f\u80fd\u6db5\u76d6\u4e86CRM\u3001\u9500\u552e\u3001\u91c7\u8d2d\u3001\u5e93\u5b58\u7ba1\u7406\u3001\u751f\u4ea7\u5236\u9020\u3001\u8d28\u91cf\u7ba1\u7406\u3001HR\u5168\u529f\u80fd\u3001\u8d22\u52a1\u7ba1\u7406\u3001\u9879\u76ee\u7ba1\u7406\u3001PLM\u7b49\u4e00\u7cfb\u5217\u5b8c\u5584\u7684\u4f01\u4e1a\u4fe1\u606f\u5316\u9700\u6c42\u3002\n\nOdoo 11.0\u53ca\u66f4\u65e9\u7248\u672c\u7684\u201c\u6587\u6863\u201d\u6a21\u5757\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u7279\u5236\u9644\u4ef6\u6587\u4ef6\u540d\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u4efb\u610fWeb\u811a\u672c\u6ce8\u5165\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e2d\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.odoo.com/zh_CN/page/download",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-73762",
  "openTime": "2020-12-24",
  "patchDescription": "Odoo\u662f\u4e00\u6b3e\u5f00\u6e90\u4f01\u4e1a\u7ba1\u7406\u5957\u4ef6,\u5176\u529f\u80fd\u6db5\u76d6\u4e86CRM\u3001\u9500\u552e\u3001\u91c7\u8d2d\u3001\u5e93\u5b58\u7ba1\u7406\u3001\u751f\u4ea7\u5236\u9020\u3001\u8d28\u91cf\u7ba1\u7406\u3001HR\u5168\u529f\u80fd\u3001\u8d22\u52a1\u7ba1\u7406\u3001\u9879\u76ee\u7ba1\u7406\u3001PLM\u7b49\u4e00\u7cfb\u5217\u5b8c\u5584\u7684\u4f01\u4e1a\u4fe1\u606f\u5316\u9700\u6c42\u3002\r\n\r\nOdoo 11.0\u53ca\u66f4\u65e9\u7248\u672c\u7684\u201c\u6587\u6863\u201d\u6a21\u5757\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u7279\u5236\u9644\u4ef6\u6587\u4ef6\u540d\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u4efb\u610fWeb\u811a\u672c\u6ce8\u5165\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e2d\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Odoo\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-73762\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Odoo Odoo \u003c=11.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2018-15633",
  "serverity": "\u4e2d",
  "submitTime": "2020-12-23",
  "title": "Odoo\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-73762\uff09"
}

CVE-2018-15633 (GCVE-0-2018-15633)

Vulnerability from cvelistv5 – Published: 2020-12-22 16:25 – Updated: 2024-08-05 10:01

Summary

Cross-site scripting (XSS) issue in "document" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames.

Severity ?

7.1 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CWE

CWE-79 - Cross-site Scripting (XSS)

Assigner

odoo

References

URL

Tags

https://github.com/odoo/odoo/issues/63701

x_refsource_MISC

Impacted products

Vendor

Product

Version

Odoo

Odoo Community

Affected: unspecified , ≤ 11.0 (custom)

Odoo

Odoo Enterprise

Affected: unspecified , ≤ 11.0 (custom)

Credits

Nathanael ROTA (Capgemini) Lauri Vakkala (Silverskin) Tomas Canzoniero

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T10:01:54.221Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/odoo/odoo/issues/63701"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Odoo Community",
          "vendor": "Odoo",
          "versions": [
            {
              "lessThanOrEqual": "11.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Odoo Enterprise",
          "vendor": "Odoo",
          "versions": [
            {
              "lessThanOrEqual": "11.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Nathanael ROTA (Capgemini)"
        },
        {
          "lang": "en",
          "value": "Lauri Vakkala (Silverskin)"
        },
        {
          "lang": "en",
          "value": "Tomas Canzoniero"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) issue in \"document\" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-22T16:25:32",
        "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "shortName": "odoo"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/odoo/odoo/issues/63701"
        }
      ],
      "source": {
        "advisory": "ODOO-SA-2020-12-02",
        "discovery": "EXTERNAL"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@odoo.com",
          "ID": "CVE-2018-15633",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Odoo Community",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "11.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Odoo Enterprise",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "11.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Odoo"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Nathanael ROTA (Capgemini)"
          },
          {
            "lang": "eng",
            "value": "Lauri Vakkala (Silverskin)"
          },
          {
            "lang": "eng",
            "value": "Tomas Canzoniero"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) issue in \"document\" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": " CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79 Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/odoo/odoo/issues/63701",
              "refsource": "MISC",
              "url": "https://github.com/odoo/odoo/issues/63701"
            }
          ]
        },
        "source": {
          "advisory": "ODOO-SA-2020-12-02",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
    "assignerShortName": "odoo",
    "cveId": "CVE-2018-15633",
    "datePublished": "2020-12-22T16:25:32",
    "dateReserved": "2018-08-21T00:00:00",
    "dateUpdated": "2024-08-05T10:01:54.221Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-73762

CVE-2018-15633 (GCVE-0-2018-15633)

Tags

Sightings

Nomenclature