You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Affects: Odoo 14.0 and earlier (Community and Enterprise Editions) CVE ID: CVE-2019-11783 Component: Discuss Credits: Nils Hamerlinck (Trobz), Christopher Riis Bubeck Eriksen,
Alexandre Diaz, "Raspina Net Pars Group"
Improper access control in mail module (channel partners) in Odoo Community
14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote
authenticated users to subscribe to arbitrary mail channels uninvited.
I. Background
The Discuss application provides generic productivity components to other Odoo
Apps, including a system allowing users to create private or public discussion
channels. This system allows to two users to chat together.
II. Problem Description
A programming error allowed unauthorized users to join private channels.
A malicious external user who has been granted Portal access could
send a specially crafted request to join private channels, read past
private discussions and receive future notifications.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
There is no known workaround, applying the patches is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - CVE-2019-11783
Affects: Odoo 14.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2019-11783
Component: Discuss
Credits: Nils Hamerlinck (Trobz), Christopher Riis Bubeck Eriksen,
Alexandre Diaz, "Raspina Net Pars Group"
Improper access control in mail module (channel partners) in Odoo Community
14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote
authenticated users to subscribe to arbitrary mail channels uninvited.
I. Background
The Discuss application provides generic productivity components to other Odoo
Apps, including a system allowing users to create private or public discussion
channels. This system allows to two users to chat together.
II. Problem Description
A programming error allowed unauthorized users to join private channels.
III. Impact
Attack Vector: Network exploitable
Authentication: User account required
CVSS3 Score: Medium :: 6.5
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
A malicious external user who has been granted Portal access could
send a specially crafted request to join private channels, read past
private discussions and receive future notifications.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
There is no known workaround, applying the patches is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
V. Solution
Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
12.0 and 11.0.
The text was updated successfully, but these errors were encountered: