Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-23176: [SEC] CVE-2021-23176 - Improper access control in reporting engine o... · Issue #107682 · odoo/odoo

Improper access control in reporting engine of l10n_fr_fec module in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to extract accounting information via crafted RPC packets.

CVE
Open in Source
#vulnerability#git#perl#auth

Security Advisory - CVE-2021-23176

Affects: Odoo 15.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2021-23176
Component: l10n_fr_fec
Credits: Florent Mirieu de la barre

Improper access control in reporting engine of l10n_fr_fec module in Odoo
Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows
remote authenticated users to extract accounting information via crafted
RPC packets.

I. Background

The l10n_fr_fec module is a module for the accounting localization of France
allowing to generate the Fichier d’Échange Informatisé (FEC).

II. Problem Description

The generation of the report was not properly protected and could be accessed
by users without accounting access rights.

III. Impact

Attack Vector: Network exploitable
Authentication: Employee / Portal user account required
CVSS3 Score: Medium :: 6.5
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Malicious users (including portal user accounts) on an Odoo database
might craft RPC requests specifically targeted at extracting accounting
data from the database.

Odoo S.A. is not aware of any use of this vulnerability in the wild.

IV. Workaround

Until the deployment of the patch, the l10n_fr_fec module can be
uninstalled on unpatched database. Updating to the latest revision or
applying the corresponding patch is strongly recommended.

V. Solution

Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).

For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html

VI. Correction details

The following list contains the patches that fix the vulnerability for
each version:

  • 13.0: 0ef5489
  • 14.0: f166400
  • 15.0: 66f0a38
  • 15.0-ent, 14.0-ent, 13.0-ent (Enterprise): see 15.0, 14.0 and 13.0.

Related news

Debian Security Advisory 5399-1

Debian Linux Security Advisory 5399-1 - Several vulnerabilities were discovered in odoo, a suite of web based open source business apps.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE