Skip to content

[SEC] CVE-2021-44775 - Cross-site scripting (XSS) issue in Website a... #107691

Closed
@odony

Description

@odony

Security Advisory - CVE-2021-44775

Affects: Odoo 15.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2021-44775
Component: Website
Credits: Holger Brunn (Therp BV)

Cross-site scripting (XSS) issue in Website app of Odoo Community 15.0 and
earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to
inject arbitrary web script in the browser of a victim, by posting crafted
contents.

I. Background

Iframes can be inserted into a website page via the website editor. This allows
to embed external content such as videos into a forum question.

II. Problem Description

Improper content validation allowed to inject arbitrary web script code in the
iframe definition that would be executed by the visitor of the page.

III. Impact

Attack Vector: Network exploitable
Authentication: User account required (including portal users)
CVSS3 Score: Medium :: 6.5
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

An attacker might insert malicious code into a page that will be executed by
another user visiting the page.

Odoo S.A. is not aware of any use of this vulnerability in the wild.

IV. Workaround

No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.

Odoo Cloud servers have been patched as soon as the correction was available.

V. Solution

Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).

For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html

VI. Correction details

The following list contains the patches that fix the vulnerability for
each version:

  • 13.0: 384d67b
  • 14.0: 74532a0
  • 15.0: 88ab30b
  • 15.0-ent, 14.0-ent, 13.0-ent (Enterprise): see 15.0, 14.0 and 13.0.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Securitysecurity announcements

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions