Affects: Odoo 12.0 and earlier (Community and Enterprise Editions) CVE ID: CVE-2019-11781 Component: Portal Credits: "iamsushi"
Improper input validation in portal component in Odoo Community 12.0 and earlier
and Odoo Enterprise 12.0 and earlier, allows remote attackers to trick
victims into modifying their account via crafted links, leading to privilege
escalation.
I. Background
Odoo includes a Portal feature, used to grant limited access to
non-employees (e.g. customers or suppliers). It is typically used
to let them see their orders, invoices, or support tickets.
This interface is accessible for both employees and external users.
II. Problem Description
A programming error allowed bypassing CSRF protection on the form to change
user details.
An attacker could send a user a specially crafted link and trick
them into executing a request changing their details, allowing the
attacker to take over the victim's account.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
There is no known workaround, applying the patches is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - CVE-2019-11781
Affects: Odoo 12.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2019-11781
Component: Portal
Credits: "iamsushi"
Improper input validation in portal component in Odoo Community 12.0 and earlier
and Odoo Enterprise 12.0 and earlier, allows remote attackers to trick
victims into modifying their account via crafted links, leading to privilege
escalation.
I. Background
Odoo includes a Portal feature, used to grant limited access to
non-employees (e.g. customers or suppliers). It is typically used
to let them see their orders, invoices, or support tickets.
This interface is accessible for both employees and external users.
II. Problem Description
A programming error allowed bypassing CSRF protection on the form to change
user details.
III. Impact
Attack Vector: Network exploitable
Authentication: None
CVSS3 Score: Medium :: 6.5
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
An attacker could send a user a specially crafted link and trick
them into executing a request changing their details, allowing the
attacker to take over the victim's account.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
There is no known workaround, applying the patches is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
V. Solution
Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: