CVE-2021-26947: [SEC] CVE-2021-26947 - Cross-site scripting (XSS) issue Odoo Communi... · Issue #107694 · odoo/odoo

Security Advisory - CVE-2021-26947

Affects: Odoo 15.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2021-26947
Component: Core
Credits: Nils Hamerlinck (Trobz), Andreas Perhab (WT-IO-IT GmbH)

Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and
Odoo Enterprise 15.0 and earlier, allows remote attackers to inject
arbitrary web script in the browser of a victim, via a crafted link.

I. Background

The Odoo framework is designed to be safe by default, and to ensure that all
user-controlled parameters are sanitized.

II. Problem Description

Improper input validation on a generic template allowed to inject arbitrary code
executed when the victim clicks on a forged link.

III. Impact

Attack Vector: Network exploitable
Authentication: None
CVSS3 Score: Medium :: 6.5
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

An attacker might send a forged link to the victim in order to execute arbitrary
web script code in the victim’s browser when they open the link.

Odoo S.A. is not aware of any use of this vulnerability in the wild.

IV. Workaround

No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.

Odoo Cloud servers have been patched as soon as the correction was available.

V. Solution

Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).

For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html

VI. Correction details

The following list contains the patches that fix the vulnerability for
each version:

• 13.0: b08301e
• 14.0: e451c4f
• 15.0: c3528f2
• 15.0-ent, 14.0-ent, 13.0-ent (Enterprise): see 15.0, 14.0 and 13.0.