Affects: Odoo 12.0 and earlier (Community and Enterprise Editions) CVE ID: CVE-2018-15645 Component: Discuss Credits: Nils Hamerlinck (Trobz)
Improper access control in message routing in Odoo Community 12.0 and earlier
and Odoo Enterprise 12.0 and earlier allows remote authenticated users
to create arbitrary records via crafted payloads, which may allow privilege
escalation.
I. Background
The Discuss modules handles discussions between users and provides for
discussion threads on business objects. Discuss messages can be sent via the
user interface or over email.
II. Problem Description
A programming error allowed unauthorized users to abuse the email processing
mechanism.
An attacker with a Portal user account could craft a special request to create
arbitrary record with chosen attributes. This could lead to privilege escalation.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
There is no known workaround, applying the patches is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - CVE-2018-15645
Affects: Odoo 12.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2018-15645
Component: Discuss
Credits: Nils Hamerlinck (Trobz)
Improper access control in message routing in Odoo Community 12.0 and earlier
and Odoo Enterprise 12.0 and earlier allows remote authenticated users
to create arbitrary records via crafted payloads, which may allow privilege
escalation.
I. Background
The Discuss modules handles discussions between users and provides for
discussion threads on business objects. Discuss messages can be sent via the
user interface or over email.
II. Problem Description
A programming error allowed unauthorized users to abuse the email processing
mechanism.
III. Impact
Attack Vector: Network exploitable
Authentication: User account required
CVSS3 Score: High :: 8.1
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
An attacker with a Portal user account could craft a special request to create
arbitrary record with chosen attributes. This could lead to privilege escalation.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
There is no known workaround, applying the patches is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
V. Solution
Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: