Improper access control in the Helpdesk App of Odoo Enterprise 10.0 through 12.0 allows remote authenticated attackers to obtain elevated privileges via a crafted request.
Affects: Odoo 10.0 Enterprise through 12.0 (Enterprise Editions only) Component: Helpdesk Credits: Martin Trigaux and Jérôme Maes CVE ID: CVE-2018-15640
I. Background
Odoo's Helpdesk App provides multi-channel customer service, with tools
for managing SLA rules, automated actions and team productivity objectives.
II. Problem Description
The web route used to allow helpdesk agents to change their own productivity
targets did not properly control access, and could allow any user to modify
arbitrary attributes of their own user profile.
A malicious user (including external portal users) could craft a request
to alter arbitrary attributes of their own user profile, including sensitive
attributes like the user group they belong to.
This would allow them to gain elevated privileges on the system.
This vulnerability only affects Odoo Enterprise deployments where the Helpdesk
application is installed.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
Uninstalling the Helpdesk App is the only known workaround to prevent
exploiting this vulnerability, at the expense of losing all the features of that
App, and causing other parts of the Odoo deployment to stop working (depending
on the version and other installed Apps).
Applying the patch is strongly recommended.
Odoo Online servers have been patched as soon as the correction was available.
V. Solution
Update to the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation.
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to the latest source
code layout of the Odoo project on GitHub. If your installation differs, please
extract the various patch hunks from the files and apply them in the appropriate
locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - ODOO-SA-2018-11-28-1
Improper access control in the Helpdesk App of Odoo Enterprise 10.0 through 12.0 allows remote authenticated attackers to obtain elevated privileges via a crafted request.
Affects: Odoo 10.0 Enterprise through 12.0 (Enterprise Editions only)
Component: Helpdesk
Credits: Martin Trigaux and Jérôme Maes
CVE ID: CVE-2018-15640
I. Background
Odoo's Helpdesk App provides multi-channel customer service, with tools
for managing SLA rules, automated actions and team productivity objectives.
II. Problem Description
The web route used to allow helpdesk agents to change their own productivity
targets did not properly control access, and could allow any user to modify
arbitrary attributes of their own user profile.
III. Impact
Attack Vector: Network exploitable
Authentication: User account required
CVSS3 Score: High :: 8.1
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
A malicious user (including external portal users) could craft a request
to alter arbitrary attributes of their own user profile, including sensitive
attributes like the user group they belong to.
This would allow them to gain elevated privileges on the system.
This vulnerability only affects Odoo Enterprise deployments where the Helpdesk
application is installed.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
Uninstalling the Helpdesk App is the only known workaround to prevent
exploiting this vulnerability, at the expense of losing all the features of that
App, and causing other parts of the Odoo deployment to stop working (depending
on the version and other installed Apps).
Applying the patch is strongly recommended.
Odoo Online servers have been patched as soon as the correction was available.
V. Solution
Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation.
For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/12.0/setup/update.html
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to the latest source
code layout of the Odoo project on GitHub. If your installation differs, please
extract the various patch hunks from the files and apply them in the appropriate
locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: