Archives
Announcements
announcements@mail.odoo.com
Odoo Security Advisories - ODOO-SA-2018-11-28 | ODOO-SA-2018-08-07
Several security advisories have just been disclosed, as described below.
Please be sure that your deployments are up-to-date. Follow the links at the end of the summary to read the detailed disclosure, including reference revision numbers and dates.
If you are unsure about the update process, please refer to our online instructions, valid for all versions:
Note: this is a notification of public disclosure of security issues from 2018 - the private disclosure already took place in 2018.
If you are using one of the Odoo Cloud-hosted services (Odoo Online | Odoo.SH) there is nothing to do, these updates were automatically applied as soon as the corrections were available.
If you have a valid Odoo Enterprise subscription, you have already been notified during the private disclosure - this only serves as a reminder.
~~~
# ODOO-SA-2018-11-28-1 (CVE-2018-15640)
Severity :: High :: 8.1 :: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Improper access control in the Helpdesk App of Odoo Enterprise 10.0 through
12.0 allows remote authenticated attackers to obtain elevated privileges
via a crafted request.
# ODOO-SA-2018-11-28-2 (CVE-2018-15635)
Severity :: Medium :: 5.9 :: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
Cross-site scripting vulnerability in the Discuss App of Odoo Community 12.0
and earlier, and Odoo Enterprise 12.0 and earlier allows remote attackers to
inject arbitrary web script in the browser of an internal user of the system
by tricking them into inviting a follower on a document with a crafted name.
# ODOO-SA-2018-11-28-3 (CVE-2018-15631)
Severity :: Medium :: 6.5 :: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Improper access control in the Discuss App of Odoo Community 12.0 and earlier
and Odoo Enterprise 12.0 and earlier allows remote authenticated attackers to
e-mail themselves arbitrary files from the database, via a crafted RPC
request.
~~~
# ODOO-SA-2018-08-07-1 (CVE-2018-14865)
Severity: High :: 7.7
Report engine in Odoo Community 11.0 and earlier and Odoo Enterprise
11.0 and earlier does not use secure options when passing documents to
wkhtmltopdf, which allows remote attackers to read local files.
# ODOO-SA-2018-08-07-2 (CVE-2018-14864)
Severity: Medium :: 6.3
Incorrect access control in asset bundles in Odoo Community 11.0 and
earlier and Odoo Enterprise 11.0 and earlier allows remote
authenticated users to inject arbitrary web script via a crafted attachment.
# ODOO-SA-2018-08-07-3 (CVE-2018-14867)
Severity: Medium :: 6.5
Incorrect access control in the portal messaging system in Odoo Community
9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers
to post messages on behalf of customers, and to guess document
attribute values, via crafted parameters.
# ODOO-SA-2018-08-07-4 (CVE-2018-14862)
Severity: High :: 7.1
Incorrect access control in the mail templating system in Odoo Community
11.0 and earlier and Odoo Enterprise 11.0 and earlier allows
authenticated internal users to delete arbitrary menuitems via a crafted
RPC request.
# ODOO-SA-2018-08-07-5 (CVE-2018-14860)
Severity: Critical :: 9.1
Improper sanitization of dynamic user expressions in Odoo Community
11.0 and earlier and Odoo Enterprise 11.0 and earlier allows
authenticated privileged users to escape from the dynamic expression sandbox
and execute arbitrary code on the hosting system.
# ODOO-SA-2018-08-07-6 (CVE-2018-14861)
Severity: Medium:: 4.3
Improper data access control in Odoo Community 10.0 and 11.0 and Odoo
Enterprise 10.0 and 11.0 allows authenticated users to perform a CSV export
of the secure hashed passwords of other users.
# ODOO-SA-2018-08-07-7 (CVE-2018-14868)
Severity: High:: 8.1
Incorrect access control in the Password Encryption module in Odoo
Community 9.0 and Odoo Enterprise 9.0 allows authenticated users to
change the password of other users without knowing their current
password via a crafted RPC call.
# ODOO-SA-2018-08-07-8 (CVE-2018-14863)
Severity: High :: 8.1
Incorrect access control in the RPC framework in Odoo Community 8.0
through 11.0 and Odoo Enterprise 9.0 through 11.0 allows authenticated
users to call private functions via RPC.
# ODOO-SA-2018-08-07-9 (CVE-2018-14866)
Severity: Low :: 3.5
Incorrect access control in the TransientModel framework in Odoo
Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows
authenticated attackers to access data in transient records that they
do not own by making an RPC call before garbage collection occurs.
# ODOO-SA-2018-08-07-10 (CVE-2018-14859)
Severity: High :: 8.1
Incorrect access control in the password reset component in Odoo
Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows
authenticated users to reset the password of other users by being the first
party to use the secure token.
# ODOO-SA-2018-08-07-11 (CVE-2018-14887)
Severity: High :: 6.5
Improper Host header sanitization in the dbfilter routing component in Odoo
Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows
a remote attacker to deny access to the service and to disclose
database names via a crafted request.
# ODOO-SA-2018-08-07-12 (CVE-2018-14885)
Severity: High :: 8.2
Incorrect access control in the database manager component in Odoo
Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows a
remote attacker to restore a database dump without knowing the
super-admin password. An arbitrary password succeeds.
# ODOO-SA-2018-08-07-13 (CVE-2018-14886)
Severity: High :: 6.8
The module-description renderer in Odoo Community 11.0 and earlier and Odoo
Enterprise 11.0 and earlier does not disable RST's local file
inclusion, which allows privileged authenticated users to read local
files via a crafted module description.
by Olivier Dony (odo) - 10:21 - 8 Apr 2019
