Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-44461: [SEC] CVE-2021-44461 - Cross-site scripting (XSS) issue in Accountin... · Issue #107686 · odoo/odoo

Cross-site scripting (XSS) issue in Accounting app of Odoo Enterprise 13.0 through 15.0, allows remote attackers who are able to control the contents of accounting journal entries to inject arbitrary web script in the browser of a victim.

CVE
Open in Source
#xss#vulnerability#web#git#perl#auth

Security Advisory - CVE-2021-44461

Affects: Odoo 13.0 to 15.0 (Enterprise Edition)
CVE ID: CVE-2021-44461
Component: Accounting (account_accountant)

Cross-site scripting (XSS) issue in Accounting app of Odoo Enterprise 13.0
through 15.0, allows remote attackers who are able to control the contents
of accounting journal entries to inject arbitrary web script in the browser
of a victim.

I. Background

The Odoo accounting application allows external users to send invoices by email
that are automatically imported into an Odoo database.

II. Problem Description

The content of the invoice was not properly sanitized.

III. Impact

Attack Vector: Network exploitable
Authentication: None
CVSS3 Score: Medium :: 6.5
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

A malicious user could send a crafted invoice and trigger injected web script
code when an accountant opens the invoice.

Odoo S.A. is not aware of any use of this vulnerability in the wild.

IV. Workaround

No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.

Odoo Cloud servers have been patched as soon as the correction was available.

V. Solution

Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).

For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html

VI. Correction details

The following list contains the patches that fix the vulnerability for
each version:

  • 13.0-ent: https://github.com/odoo/enterprise/commit/eb6799b56c0f4f55a91c59efc750abc6b9aa1436
  • 14.0-ent: https://github.com/odoo/enterprise/commit/48f48647e3d9b61778450e430e889eb362d0e5d3
  • 15.0-ent: https://github.com/odoo/enterprise/commit/fce7a1a52e7e30e5adcdd61d49a512f27e08f73f

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE