Affects: Odoo 11.0 and earlier (Community and Enterprise Editions) CVE ID: CVE-2018-15633 Component: "document" module Credits: Nathanael ROTA (Capgemini), Lauri Vakkala (Silverskin),
Tomas Canzoniero
Cross-site scripting (XSS) issue in "document" module in Odoo Community 11.0
and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers
to inject arbitrary web script in the browser of a victim via crafted
attachment filenames.
I. Background
Odoo 11 and earlier supported a generic feature where files can be
attached to any record through the installation of the "document" module.
This module has been replaced with a new mechanism in later versions.
II. Problem Description
Some attributes of the files were not properly sanitized.
An attacker could craft a special attachment on a shared record and trick
a user into viewing it, in order to execute arbitrary web script in their
browser. This could lead to privilege escalation and execution of actions
using the session of the victim.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
The module "Attachments List and Document Indexation" (document) can be
uninstalled as a workaround. Applying the patch is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - CVE-2018-15633
Affects: Odoo 11.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2018-15633
Component: "document" module
Credits: Nathanael ROTA (Capgemini), Lauri Vakkala (Silverskin),
Tomas Canzoniero
Cross-site scripting (XSS) issue in "document" module in Odoo Community 11.0
and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers
to inject arbitrary web script in the browser of a victim via crafted
attachment filenames.
I. Background
Odoo 11 and earlier supported a generic feature where files can be
attached to any record through the installation of the "document" module.
This module has been replaced with a new mechanism in later versions.
II. Problem Description
Some attributes of the files were not properly sanitized.
III. Impact
Attack Vector: Network exploitable
Authentication: No user account required
CVSS3 Score: High :: 7.1
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
An attacker could craft a special attachment on a shared record and trick
a user into viewing it, in order to execute arbitrary web script in their
browser. This could lead to privilege escalation and execution of actions
using the session of the victim.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
The module "Attachments List and Document Indexation" (document) can be
uninstalled as a workaround. Applying the patch is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
V. Solution
Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: