Affects: Odoo 11.0 through 14.0 (Community and Enterprise Editions) CVE ID: CVE-2018-15641 Component: Framework Credits: msg systems ag, Lauri Vakkala (Silverskin),
Bharath Kumar (Appsecco), Anıl Yüksel, Aitor Fuentes (kr0no)
Cross-site scripting (XSS) issue in web module in Odoo Community 11.0
through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote
authenticated internal users to inject arbitrary web script in the
browser of a victim via crafted calendar event attributes.
I. Background
The calendar component of the Odoo framework provides a calendar view and personal
and shared calendars.
II. Problem Description
A programming error in the calendar view causes improper input sanitization of
calendar event attributes.
An attacker with an Employee / Internal user account could craft a special
calendar event and then trick another user into viewing it, in order to execute
arbitrary web script in their browser. This could lead to privilege escalation
and execution of actions using the session of the other user.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
There is no known workaround, applying the patches is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - CVE-2018-15641
Affects: Odoo 11.0 through 14.0 (Community and Enterprise Editions)
CVE ID: CVE-2018-15641
Component: Framework
Credits: msg systems ag, Lauri Vakkala (Silverskin),
Bharath Kumar (Appsecco), Anıl Yüksel, Aitor Fuentes (kr0no)
Cross-site scripting (XSS) issue in web module in Odoo Community 11.0
through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote
authenticated internal users to inject arbitrary web script in the
browser of a victim via crafted calendar event attributes.
I. Background
The calendar component of the Odoo framework provides a calendar view and personal
and shared calendars.
II. Problem Description
A programming error in the calendar view causes improper input sanitization of
calendar event attributes.
III. Impact
Attack Vector: Network exploitable
Authentication: "Employee" user account required
CVSS3 Score: Medium :: 6.3
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
An attacker with an Employee / Internal user account could craft a special
calendar event and then trick another user into viewing it, in order to execute
arbitrary web script in their browser. This could lead to privilege escalation
and execution of actions using the session of the other user.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
There is no known workaround, applying the patches is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
V. Solution
Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
12.0 and 11.0.
The text was updated successfully, but these errors were encountered: