Incorrect access control in the mail templating system in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated internal users to delete arbitrary menuitems via a crafted RPC request.
Affects: Odoo 9.0, 10.0, 11.0 (Community and Enterprise Editions) Component: mail Credits: Nils Hamerlinck (Trobz) CVE ID: CVE-2018-14862
I. Background
Odoo's chatter engine allows users to create templates for commonly
used messages. To make it faster to use, the system allows template authors
to create a shortcut action to reuse the template.
II. Problem Description
The shortcut removal mechanism can be abused to remove other part of the
interface.
A malicious employee could craft malicious RPC requests to cause the deletion
of arbitrary menu entries of the user interface.
While there is no loss of business data, removing the shortcut would make the
system very difficult to use, until repaired.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
Restricting the create and write access to the mail.template model to trusted
users only is a way to mitigate the attack until the patch can be applied.
Odoo Online servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - ODOO-SA-2018-08-07-4
Incorrect access control in the mail templating system in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated internal users to delete arbitrary menuitems via a crafted RPC request.
Affects: Odoo 9.0, 10.0, 11.0 (Community and Enterprise Editions)
Component: mail
Credits: Nils Hamerlinck (Trobz)
CVE ID: CVE-2018-14862
I. Background
Odoo's chatter engine allows users to create templates for commonly
used messages. To make it faster to use, the system allows template authors
to create a shortcut action to reuse the template.
II. Problem Description
The shortcut removal mechanism can be abused to remove other part of the
interface.
III. Impact
Attack Vector: Network exploitable
Authentication: User account required
CVSS3 Score: High :: 7.1
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
A malicious employee could craft malicious RPC requests to cause the deletion
of arbitrary menu entries of the user interface.
While there is no loss of business data, removing the shortcut would make the
system very difficult to use, until repaired.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
Restricting the create and write access to the mail.template model to trusted
users only is a way to mitigate the attack until the patch can be applied.
Odoo Online servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
For the actual update procedure, please refer to our update instructions, valid
for all versions:
https://www.odoo.com/documentation/11.0/setup/update.html
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: