Headline
CVE-2021-45071: [SEC] CVE-2021-45071 - Cross-site scripting (XSS) issue Odoo Communi... · Issue #107697 · odoo/odoo
Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via crafted uploaded file names.
Security Advisory - CVE-2021-45071
Affects: Odoo 15.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2021-45071
Component: Core
Credits: Lauri Vakkala, Anıl Yüksel, Agustin Maio and Johannes Moritz (Cure53)
Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and
Odoo Enterprise 15.0 and earlier, allows remote attackers to inject
arbitrary web script in the browser of a victim, via crafted uploaded
file names.
I. Background
The Odoo framework includes a generic component for uploading files, known
as the "binary field widget".
II. Problem Description
A problem in the sanitization of the uploaded file name in the binary field
widget made a cross-site scripting attack possible.
III. Impact
Attack Vector: Network exploitable
Authentication: User account not necessarily required
CVSS3 Score: Medium :: 5.3
CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Depending on the modules/apps installed in a database, some screens may use
the default binary field widget. If an attacker is able to control the contents
of this field, directly or indirectly (e.g. via email), they trigger the
execution of arbitrary web script (XSS) on the browser of the victim.
This may allow them to escalate privileges by triggering malicious actions by
a privileged victim, or to capture sensitive data.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
V. Solution
Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).
For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html
VI. Correction details
The following list contains the patches that fix the vulnerability for
each version:
- 13.0: b9ae627
- 14.0: 609b650
- 15.0: 9f8da7b
- 15.0-ent, 14.0-ent, 13.0-ent (Enterprise): see 15.0, 14.0 and 13.0.
Related news
Debian Linux Security Advisory 5399-1 - Several vulnerabilities were discovered in odoo, a suite of web based open source business apps.