Cross-site scripting vulnerability in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote attackers to inject arbitrary web script in the browser of an internal user of the system by tricking them into inviting a follower on a document with a crafted name.
Affects: Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier Component: Discuss Credits: Juba Baghdad, Adan Álvarez (A2secure), Bharath Kumar (Appsecco)
and Subash SN (Appsecco) CVE ID: CVE-2018-15635
I. Background
The Discuss App provides generic productivity components to other Odoo Apps,
including a "follower" system allowing users to subscribe to status updates and
other discussions related to a given document.
II. Problem Description
The Discuss component for inviting a follower on a document did not properly
sanitize the document information when generating the invitation text.
A remote attacker could employ various techniques to inject a document with
a malicious name into a vulnerable Odoo deployment, via contact forms, job
forms, email routes (aliases), etc.
The attacker could then use social engineering techniques to trick an internal
user of the system into inviting them on the document with a crafted name, which
could trigger the execution of arbitrary web script in the victim's browser.
This could lead to the leak of sensitive data, or even complete session takeover.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
No workaround is available, but the issue is mitigated by the fact that the
attacker will have to create a document with a suspicious name containing
scripting code, so the victim is likely to notice it before inviting them.
Applying the patch is strongly recommended.
Odoo Online servers have been patched as soon as the correction was available.
V. Solution
Update to the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation.
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to the latest source
code layout of the Odoo project on GitHub. If your installation differs, please
extract the various patch hunks from the files and apply them in the appropriate
locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - ODOO-SA-2018-11-28-2
Cross-site scripting vulnerability in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote attackers to inject arbitrary web script in the browser of an internal user of the system by tricking them into inviting a follower on a document with a crafted name.
Affects: Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier
Component: Discuss
Credits: Juba Baghdad, Adan Álvarez (A2secure), Bharath Kumar (Appsecco)
and Subash SN (Appsecco)
CVE ID: CVE-2018-15635
I. Background
The Discuss App provides generic productivity components to other Odoo Apps,
including a "follower" system allowing users to subscribe to status updates and
other discussions related to a given document.
II. Problem Description
The Discuss component for inviting a follower on a document did not properly
sanitize the document information when generating the invitation text.
III. Impact
Attack Vector: Network exploitable
Authentication: No privileged account necessary
CVSS3 Score: Medium :: 5.9
CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
A remote attacker could employ various techniques to inject a document with
a malicious name into a vulnerable Odoo deployment, via contact forms, job
forms, email routes (aliases), etc.
The attacker could then use social engineering techniques to trick an internal
user of the system into inviting them on the document with a crafted name, which
could trigger the execution of arbitrary web script in the victim's browser.
This could lead to the leak of sensitive data, or even complete session takeover.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
No workaround is available, but the issue is mitigated by the fact that the
attacker will have to create a document with a suspicious name containing
scripting code, so the victim is likely to notice it before inviting them.
Applying the patch is strongly recommended.
Odoo Online servers have been patched as soon as the correction was available.
V. Solution
Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation.
For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/12.0/setup/update.html
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to the latest source
code layout of the Odoo project on GitHub. If your installation differs, please
extract the various patch hunks from the files and apply them in the appropriate
locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: