Affects: Odoo 13.0 and earlier (Community and Enterprise Editions) CVE ID: CVE-2019-11786 Component: Core Credits: Martin Trigaux, Alexandre Diaz
Improper access control in Odoo Community 13.0 and earlier and Odoo
Enterprise 13.0 and earlier, allows remote authenticated users to modify
translated terms, which may lead to arbitrary content modification on
translatable elements.
I. Background
The interface of Odoo includes localized elements, displayed in the language
of the user. Some fields for user-provided data can be translated as well,
for example master data records, like products, or website pages.
Translations are loaded automatically at module installation but can also be
imported manually.
II. Problem Description
A missing access control allowed unauthorized users to abuse the translation
processing mechanism.
A malicious external user who has been granted Portal access could
send a specially crafted request and alter Odoo translations.
Business documents and user data are not directly at risk, but the
the attacker could cause significant trouble by altering the
translations of the user interface or public-facing documents.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
There is no known workaround, applying the patches is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - CVE-2019-11786
Affects: Odoo 13.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2019-11786
Component: Core
Credits: Martin Trigaux, Alexandre Diaz
Improper access control in Odoo Community 13.0 and earlier and Odoo
Enterprise 13.0 and earlier, allows remote authenticated users to modify
translated terms, which may lead to arbitrary content modification on
translatable elements.
I. Background
The interface of Odoo includes localized elements, displayed in the language
of the user. Some fields for user-provided data can be translated as well,
for example master data records, like products, or website pages.
Translations are loaded automatically at module installation but can also be
imported manually.
II. Problem Description
A missing access control allowed unauthorized users to abuse the translation
processing mechanism.
III. Impact
Attack Vector: Network exploitable
Authentication: User account required
CVSS3 Score: Medium :: 4.3
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
A malicious external user who has been granted Portal access could
send a specially crafted request and alter Odoo translations.
Business documents and user data are not directly at risk, but the
the attacker could cause significant trouble by altering the
translations of the user interface or public-facing documents.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
There is no known workaround, applying the patches is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
V. Solution
Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: