cnvd - cnvd-2020-74057

CNVD-2020-74057

Vulnerability from cnvd - Published: 2020-12-25

Title

Odoo跨站脚本漏洞（CNVD-2020-74057）

Description

Odoo是比利时Odoo公司的一套企业资源计划（ERP）和客户关系管理（CRM）系统。该系统采用Python语言开发，PostgreSQL作为数据库，并包括销售管理、库存管理、财务管理等模块。 Odoo Community 11.0版本至14.0版本 and Odoo Enterprise 11.0版本至14.0版本存在跨站脚本漏洞，该漏洞源于web模块跨站脚本(XSS)问题，远程攻击者可利用该漏洞通过精心制作的日历事件属性将任意web脚本注入到受害者的浏览器中。

Severity

低

Patch Name

Odoo跨站脚本漏洞（CNVD-2020-74057）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.odoo.com/zh_CN/page/download

Reference

https://nvd.nist.gov/vuln/detail/CVE-2018-15641

Impacted products

Name
['Odoo Odoo Community >=11.0，<=14.0', 'Odoo Odoo Enterprise >=11.0，<=14.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-15641",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2018-15641"
    }
  },
  "description": "Odoo\u662f\u6bd4\u5229\u65f6Odoo\u516c\u53f8\u7684\u4e00\u5957\u4f01\u4e1a\u8d44\u6e90\u8ba1\u5212\uff08ERP\uff09\u548c\u5ba2\u6237\u5173\u7cfb\u7ba1\u7406\uff08CRM\uff09\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u91c7\u7528Python\u8bed\u8a00\u5f00\u53d1\uff0cPostgreSQL\u4f5c\u4e3a\u6570\u636e\u5e93\uff0c\u5e76\u5305\u62ec\u9500\u552e\u7ba1\u7406\u3001\u5e93\u5b58\u7ba1\u7406\u3001\u8d22\u52a1\u7ba1\u7406\u7b49\u6a21\u5757\u3002\n\nOdoo Community 11.0\u7248\u672c\u81f314.0\u7248\u672c and Odoo Enterprise 11.0\u7248\u672c\u81f314.0\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eweb\u6a21\u5757\u8de8\u7ad9\u811a\u672c(XSS)\u95ee\u9898\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7cbe\u5fc3\u5236\u4f5c\u7684\u65e5\u5386\u4e8b\u4ef6\u5c5e\u6027\u5c06\u4efb\u610fweb\u811a\u672c\u6ce8\u5165\u5230\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e2d\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.odoo.com/zh_CN/page/download",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-74057",
  "openTime": "2020-12-25",
  "patchDescription": "Odoo\u662f\u6bd4\u5229\u65f6Odoo\u516c\u53f8\u7684\u4e00\u5957\u4f01\u4e1a\u8d44\u6e90\u8ba1\u5212\uff08ERP\uff09\u548c\u5ba2\u6237\u5173\u7cfb\u7ba1\u7406\uff08CRM\uff09\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u91c7\u7528Python\u8bed\u8a00\u5f00\u53d1\uff0cPostgreSQL\u4f5c\u4e3a\u6570\u636e\u5e93\uff0c\u5e76\u5305\u62ec\u9500\u552e\u7ba1\u7406\u3001\u5e93\u5b58\u7ba1\u7406\u3001\u8d22\u52a1\u7ba1\u7406\u7b49\u6a21\u5757\u3002\r\n\r\nOdoo Community 11.0\u7248\u672c\u81f314.0\u7248\u672c and Odoo Enterprise 11.0\u7248\u672c\u81f314.0\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eweb\u6a21\u5757\u8de8\u7ad9\u811a\u672c(XSS)\u95ee\u9898\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7cbe\u5fc3\u5236\u4f5c\u7684\u65e5\u5386\u4e8b\u4ef6\u5c5e\u6027\u5c06\u4efb\u610fweb\u811a\u672c\u6ce8\u5165\u5230\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e2d\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Odoo\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-74057\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Odoo Odoo Community \u003e=11.0\uff0c\u003c=14.0",
      "Odoo Odoo Enterprise \u003e=11.0\uff0c\u003c=14.0"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2018-15641",
  "serverity": "\u4f4e",
  "submitTime": "2020-12-23",
  "title": "Odoo\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-74057\uff09"
}

CVE-2018-15641 (GCVE-0-2018-15641)

Vulnerability from cvelistv5 – Published: 2020-12-22 16:25 – Updated: 2024-08-05 10:01

Summary

Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes.

Severity ?

6.3 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

CWE

CWE-79 - Cross-site Scripting (XSS)

Assigner

odoo

References

URL

Tags

https://github.com/odoo/odoo/issues/63704

x_refsource_MISC

Impacted products

Vendor

Product

Version

Odoo

Odoo Community

Affected: 11.0 , < unspecified (custom)

Odoo	Odoo Enterprise	Affected: 11.0 , < unspecified (custom)
Odoo	Odoo Community	Affected: unspecified , ≤ 14.0 (custom)
Odoo	Odoo Enterprise	Affected: unspecified , ≤ 14.0 (custom)

Credits

msg systems ag Lauri Vakkala (Silverskin) Bharath Kumar (Appsecco) Anıl Yüksel Aitor Fuentes (kr0no)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T10:01:54.277Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/odoo/odoo/issues/63704"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Odoo Community",
          "vendor": "Odoo",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "11.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Odoo Enterprise",
          "vendor": "Odoo",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "11.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Odoo Community",
          "vendor": "Odoo",
          "versions": [
            {
              "lessThanOrEqual": "14.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Odoo Enterprise",
          "vendor": "Odoo",
          "versions": [
            {
              "lessThanOrEqual": "14.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "msg systems ag"
        },
        {
          "lang": "en",
          "value": "Lauri Vakkala (Silverskin)"
        },
        {
          "lang": "en",
          "value": "Bharath Kumar (Appsecco)"
        },
        {
          "lang": "en",
          "value": "An\u0131l Y\u00fcksel"
        },
        {
          "lang": "en",
          "value": "Aitor Fuentes (kr0no)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-22T16:25:34",
        "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "shortName": "odoo"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/odoo/odoo/issues/63704"
        }
      ],
      "source": {
        "advisory": "ODOO-SA-2020-12-02",
        "discovery": "EXTERNAL"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@odoo.com",
          "ID": "CVE-2018-15641",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Odoo Community",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_value": "11.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Odoo Enterprise",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_value": "11.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Odoo Community",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "14.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Odoo Enterprise",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "14.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Odoo"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "msg systems ag"
          },
          {
            "lang": "eng",
            "value": "Lauri Vakkala (Silverskin)"
          },
          {
            "lang": "eng",
            "value": "Bharath Kumar (Appsecco)"
          },
          {
            "lang": "eng",
            "value": "An\u0131l Y\u00fcksel"
          },
          {
            "lang": "eng",
            "value": "Aitor Fuentes (kr0no)"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79 Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/odoo/odoo/issues/63704",
              "refsource": "MISC",
              "url": "https://github.com/odoo/odoo/issues/63704"
            }
          ]
        },
        "source": {
          "advisory": "ODOO-SA-2020-12-02",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
    "assignerShortName": "odoo",
    "cveId": "CVE-2018-15641",
    "datePublished": "2020-12-22T16:25:34",
    "dateReserved": "2018-08-21T00:00:00",
    "dateUpdated": "2024-08-05T10:01:54.277Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-74057

CVE-2018-15641 (GCVE-0-2018-15641)

Tags

Sightings

Nomenclature