Affects: Odoo 14.0 and earlier (Community and Enterprise Editions) CVE ID: CVE-2019-11782 Component: Portal Credits: Damien LESCOS
Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise
14.0 and earlier, allows remote authenticated users with access to contact
management to modify user accounts, leading to privilege escalation
I. Background
Odoo includes a Portal feature, used to grant a limited access to
customers and suppliers. It is typically used to let them see
their orders, invoices, or support tickets.
The Portal module that provides this feature comes with a "Portal Access
Management" wizard that can be used by employees with limited privileges
(such as Sales Representatives) to grant portal access to their customers.
II. Problem Description
Insufficient validation of wizard parameters could allow unprivileged
users to modify other users.
III. Impact
Attack Vector: Network exploitable Authentication: Employee / Internal User account required CVSS3 Score: High :: 8.1 CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
A malicious employee / internal user with access to contact management
could craft a special request to modify the contact information of
another user. This could be used to take over the victim's account,
and lead to privilege escalation.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
For version 14.0, administrators may mitigate the problem by blocking
access to the "Portal User Config" model (portal.wizard.user) to
non-administrators, by removing the "Create" and "Write" permissions.
This technique will not work for previous versions.
Applying the patches is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - CVE-2019-11782
Affects: Odoo 14.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2019-11782
Component: Portal
Credits: Damien LESCOS
Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise
14.0 and earlier, allows remote authenticated users with access to contact
management to modify user accounts, leading to privilege escalation
I. Background
Odoo includes a Portal feature, used to grant a limited access to
customers and suppliers. It is typically used to let them see
their orders, invoices, or support tickets.
The Portal module that provides this feature comes with a "Portal Access
Management" wizard that can be used by employees with limited privileges
(such as Sales Representatives) to grant portal access to their customers.
II. Problem Description
Insufficient validation of wizard parameters could allow unprivileged
users to modify other users.
III. Impact
Attack Vector: Network exploitable
Authentication: Employee / Internal User account required
CVSS3 Score: High :: 8.1
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
A malicious employee / internal user with access to contact management
could craft a special request to modify the contact information of
another user. This could be used to take over the victim's account,
and lead to privilege escalation.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
For version 14.0, administrators may mitigate the problem by blocking
access to the "Portal User Config" model (
portal.wizard.user) tonon-administrators, by removing the "Create" and "Write" permissions.
This technique will not work for previous versions.
Applying the patches is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
V. Solution
Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
12.0 and 11.0.
The text was updated successfully, but these errors were encountered: