cnvd - cnvd-2020-74056

CNVD-2020-74056

Vulnerability from cnvd - Published: 2020-12-25

Title

Odoo跨站脚本漏洞（CNVD-2020-74056）

Description

Odoo是一款开源企业管理套件,其功能涵盖了CRM、销售、采购、库存管理、生产制造、质量管理、HR全功能、财务管理、项目管理、PLM等一系列完善的企业信息化需求。 Odoo 13.0及更早版本的邮件模块存在跨站脚本漏洞。远程攻击者可通过特制渠道名称利用该漏洞将任意Web脚本注入受害者的浏览器中。

Severity

低

Patch Name

Odoo跨站脚本漏洞（CNVD-2020-74056）的补丁

Patch Description

Odoo是一款开源企业管理套件,其功能涵盖了CRM、销售、采购、库存管理、生产制造、质量管理、HR全功能、财务管理、项目管理、PLM等一系列完善的企业信息化需求。 Odoo 13.0及更早版本的邮件模块存在跨站脚本漏洞。远程攻击者可通过特制渠道名称利用该漏洞将任意Web脚本注入受害者的浏览器中。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.odoo.com/zh_CN/page/download

Reference

https://nvd.nist.gov/vuln/detail/CVE-2018-15638

Impacted products

Name
['Odoo Odoo Community <=13.0', 'Odoo Odoo Enterprise <=13.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-15638",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2018-15638"
    }
  },
  "description": "Odoo\u662f\u4e00\u6b3e\u5f00\u6e90\u4f01\u4e1a\u7ba1\u7406\u5957\u4ef6,\u5176\u529f\u80fd\u6db5\u76d6\u4e86CRM\u3001\u9500\u552e\u3001\u91c7\u8d2d\u3001\u5e93\u5b58\u7ba1\u7406\u3001\u751f\u4ea7\u5236\u9020\u3001\u8d28\u91cf\u7ba1\u7406\u3001HR\u5168\u529f\u80fd\u3001\u8d22\u52a1\u7ba1\u7406\u3001\u9879\u76ee\u7ba1\u7406\u3001PLM\u7b49\u4e00\u7cfb\u5217\u5b8c\u5584\u7684\u4f01\u4e1a\u4fe1\u606f\u5316\u9700\u6c42\u3002\n\nOdoo 13.0\u53ca\u66f4\u65e9\u7248\u672c\u7684\u90ae\u4ef6\u6a21\u5757\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u7279\u5236\u6e20\u9053\u540d\u79f0\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u4efb\u610fWeb\u811a\u672c\u6ce8\u5165\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e2d\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.odoo.com/zh_CN/page/download",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-74056",
  "openTime": "2020-12-25",
  "patchDescription": "Odoo\u662f\u4e00\u6b3e\u5f00\u6e90\u4f01\u4e1a\u7ba1\u7406\u5957\u4ef6,\u5176\u529f\u80fd\u6db5\u76d6\u4e86CRM\u3001\u9500\u552e\u3001\u91c7\u8d2d\u3001\u5e93\u5b58\u7ba1\u7406\u3001\u751f\u4ea7\u5236\u9020\u3001\u8d28\u91cf\u7ba1\u7406\u3001HR\u5168\u529f\u80fd\u3001\u8d22\u52a1\u7ba1\u7406\u3001\u9879\u76ee\u7ba1\u7406\u3001PLM\u7b49\u4e00\u7cfb\u5217\u5b8c\u5584\u7684\u4f01\u4e1a\u4fe1\u606f\u5316\u9700\u6c42\u3002\r\n\r\nOdoo 13.0\u53ca\u66f4\u65e9\u7248\u672c\u7684\u90ae\u4ef6\u6a21\u5757\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u7279\u5236\u6e20\u9053\u540d\u79f0\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u4efb\u610fWeb\u811a\u672c\u6ce8\u5165\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e2d\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Odoo\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-74056\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Odoo Odoo Community \u003c=13.0",
      "Odoo Odoo Enterprise \u003c=13.0"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2018-15638",
  "serverity": "\u4f4e",
  "submitTime": "2020-12-23",
  "title": "Odoo\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-74056\uff09"
}

CVE-2018-15638 (GCVE-0-2018-15638)

Vulnerability from cvelistv5 – Published: 2020-12-22 16:25 – Updated: 2024-08-05 10:01

Summary

Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names.

Severity ?

7.1 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CWE

CWE-79 - Cross-site Scripting (XSS)

Assigner

odoo

References

URL

Tags

https://github.com/odoo/odoo/issues/63703

x_refsource_MISC

Impacted products

Vendor

Product

Version

Odoo

Odoo Community

Affected: unspecified , ≤ 13.0 (custom)

Odoo

Odoo Enterprise

Affected: unspecified , ≤ 13.0 (custom)

Credits

Subash SN and Bharath Kumar (Appsecco) Dipanshu Agrawal

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T10:01:54.270Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/odoo/odoo/issues/63703"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Odoo Community",
          "vendor": "Odoo",
          "versions": [
            {
              "lessThanOrEqual": "13.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Odoo Enterprise",
          "vendor": "Odoo",
          "versions": [
            {
              "lessThanOrEqual": "13.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Subash SN and Bharath Kumar (Appsecco)"
        },
        {
          "lang": "en",
          "value": "Dipanshu Agrawal"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-22T16:25:33",
        "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "shortName": "odoo"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/odoo/odoo/issues/63703"
        }
      ],
      "source": {
        "advisory": "ODOO-SA-2020-12-02",
        "discovery": "EXTERNAL"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@odoo.com",
          "ID": "CVE-2018-15638",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Odoo Community",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "13.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Odoo Enterprise",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "13.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Odoo"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Subash SN and Bharath Kumar (Appsecco)"
          },
          {
            "lang": "eng",
            "value": "Dipanshu Agrawal"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79 Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/odoo/odoo/issues/63703",
              "refsource": "MISC",
              "url": "https://github.com/odoo/odoo/issues/63703"
            }
          ]
        },
        "source": {
          "advisory": "ODOO-SA-2020-12-02",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
    "assignerShortName": "odoo",
    "cveId": "CVE-2018-15638",
    "datePublished": "2020-12-22T16:25:33",
    "dateReserved": "2018-08-21T00:00:00",
    "dateUpdated": "2024-08-05T10:01:54.270Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-74056

CVE-2018-15638 (GCVE-0-2018-15638)

Tags

Sightings

Nomenclature