Affects: Odoo 13.0 and earlier (Community and Enterprise Editions) CVE ID: CVE-2021-44465 Component: Website Mail Credits: Swapnesh Shah
Improper access control in Odoo Community 13.0 and earlier and Odoo
Enterprise 13.0 and earlier allows authenticated attackers to subscribe
to receive future notifications and comments related to arbitrary
business records in the system, via crafted RPC requests.
I. Background
The Website Mail module adds generic components to follow group discussions
on a website for external users.
II. Problem Description
Improper content validation allowed to follow arbitrary documents where the
discussion feature is available, including ones the user does not have
access to.
An attacker might craft requests to follow private documents and receive future
messages. Some documents might use the list of followers as a way to determine the
access to the parent document. This could be used as a way to escalate into
reading the content the followed document through the portal.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
V. Solution
Update to the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).
Security Advisory - CVE-2021-44465
Affects: Odoo 13.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2021-44465
Component: Website Mail
Credits: Swapnesh Shah
Improper access control in Odoo Community 13.0 and earlier and Odoo
Enterprise 13.0 and earlier allows authenticated attackers to subscribe
to receive future notifications and comments related to arbitrary
business records in the system, via crafted RPC requests.
I. Background
The Website Mail module adds generic components to follow group discussions
on a website for external users.
II. Problem Description
Improper content validation allowed to follow arbitrary documents where the
discussion feature is available, including ones the user does not have
access to.
III. Impact
Attack Vector: Network exploitable
Authentication: None
CVSS3 Score: Medium :: 5.3
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
An attacker might craft requests to follow private documents and receive future
messages. Some documents might use the list of followers as a way to determine the
access to the parent document. This could be used as a way to escalate into
reading the content the followed document through the portal.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
V. Solution
Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).
For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html
VI. Correction details
The following list contains the patches that fix the vulnerability for
each version:
The text was updated successfully, but these errors were encountered: