Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-26263: [SEC] CVE-2021-26263 - Cross-site scripting (XSS) issue in Discuss a... · Issue #107693 · odoo/odoo

Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents.

CVE
Open in Source
#xss#vulnerability#web#git#auth

Security Advisory - CVE-2021-26263

Affects: Odoo 14.0 and 15.0 (Community and Enterprise Editions)
CVE ID: CVE-2021-26263
Component: Discuss
Credits: Theodoros Malachias, iamsushi, Ranjit Pahan

Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0
through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote
attackers to inject arbitrary web script in the browser of a victim,
by posting crafted contents.

I. Background

Odoo has a live chat feature to discuss in real time with employees or website
visitors. A notification is triggered when a new message is received.

II. Problem Description

Improper input validation allowed to inject arbitrary code executed in the
browser of the viction when the message is received.

III. Impact

Attack Vector: Network exploitable
Authentication: None
CVSS3 Score: High :: 7.5
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

An attacker might craft requests to send arbitrary code to a victim and execute
web script without needing active interaction from the victim, other than being
connected. This may lead to privilege escalation and sensitive information
disclosure.

Odoo S.A. is not aware of any use of this vulnerability in the wild.

IV. Workaround

No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.

Odoo Cloud servers have been patched as soon as the correction was available.

V. Solution

Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).

For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html

VI. Correction details

The following list contains the patches that fix the vulnerability for
each version:

  • 14.0: ff1db4a
  • 15.0: 41e7d26
  • 15.0-ent, 14.0-ent (Enterprise): see 15.0 and 14.0.

Related news

Debian Security Advisory 5399-1

Debian Linux Security Advisory 5399-1 - Several vulnerabilities were discovered in odoo, a suite of web based open source business apps.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE