Headline
CVE-2021-23178: [SEC] CVE-2021-23178 - Improper access control in Odoo Community 15.... · Issue #107690 · odoo/odoo
Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows attackers to validate online payments with a tokenized payment method that belongs to another user, causing the victim’s payment method to be charged instead.
Security Advisory - CVE-2021-23178
Affects: Odoo 15.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2021-23178
Component: Online Payment
Credits: Parth Gajjar
Improper access control in Odoo Community 15.0 and earlier and Odoo
Enterprise 15.0 and earlier allows attackers to validate online payments
with a tokenized payment method that belongs to another user, causing
the victim’s payment method to be charged instead.
I. Background
To facilate recurring online payments on the ecommerce or subscription, one can
save a credit card as payment method and reuse it for future purchase.
II. Problem Description
An improper validation in the online payment mechanism allowed an attacker to
use the saved payment method of another user.
III. Impact
Attack Vector: Network exploitable
Authentication: None
CVSS3 Score: high :: 7.5
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
A malicious user might be able to craft a payment request to validate an online
purchase, charging the credit card of another user.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
V. Solution
Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).
For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html
VI. Correction details
The following list contains the patches that fix the vulnerability for
each version:
- 13.0: 08fe322
- 14.0: 5ac5524
- 15.0: 9a06302
- 15.0-ent, 14.0-ent, 13.0-ent (Enterprise): see 15.0, 14.0 and 13.0.
Related news
Debian Linux Security Advisory 5399-1 - Several vulnerabilities were discovered in odoo, a suite of web based open source business apps.