Announcements mailing list archives

announcements@mail.odoo.com

Avatar

Odoo Security Advisories - ODOO-SA-2018-11-28 | ODOO-SA-2018-08-07

by
Olivier Dony (odo)
- 08/04/2019 10:11:23
Several security advisories have just been disclosed, as described below.
Please be sure that your deployments are up-to-date. Follow the links at the end of the summary to read the detailed disclosure, including reference revision numbers and dates.

If you are unsure about the update process, please refer to our online instructions, valid for all versions:

Note: this is a notification of public disclosure of security issues from 2018 - the private disclosure already took place in 2018.
If you are using one of the Odoo Cloud-hosted services (Odoo Online | Odoo.SH) there is nothing to do, these updates were automatically applied as soon as the corrections were available.
If you have a valid Odoo Enterprise subscription, you have already been notified during the private disclosure - this only serves as a reminder.


~~~

# ODOO-SA-2018-11-28-1 (CVE-2018-15640)
  Severity :: High :: 8.1 :: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
  Improper access control in the Helpdesk App of Odoo Enterprise 10.0 through
  12.0 allows remote authenticated attackers to obtain elevated privileges
  via a crafted request.

# ODOO-SA-2018-11-28-2 (CVE-2018-15635)
  Severity :: Medium :: 5.9 :: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
  Cross-site scripting vulnerability in the Discuss App of Odoo Community 12.0
  and earlier, and Odoo Enterprise 12.0 and earlier allows remote attackers to
  inject arbitrary web script in the browser of an internal user of the system
  by tricking them into inviting a follower on a document with a crafted name.

# ODOO-SA-2018-11-28-3 (CVE-2018-15631)
  Severity :: Medium :: 6.5 :: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  Improper access control in the Discuss App of Odoo Community 12.0 and earlier
  and Odoo Enterprise 12.0 and earlier allows remote authenticated attackers to
  e-mail themselves arbitrary files from the database, via a crafted RPC
  request.

~~~

# ODOO-SA-2018-08-07-1 (CVE-2018-14865)
  Severity: High :: 7.7
  Report engine in Odoo Community 11.0 and earlier and Odoo Enterprise
  11.0 and earlier does not use secure options when passing documents to
  wkhtmltopdf, which allows remote attackers to read local files.

# ODOO-SA-2018-08-07-2 (CVE-2018-14864)
  Severity: Medium :: 6.3
  Incorrect access control in asset bundles in Odoo Community 11.0 and
  earlier and Odoo Enterprise 11.0 and earlier allows remote
  authenticated users to inject arbitrary web script via a crafted attachment.

# ODOO-SA-2018-08-07-3 (CVE-2018-14867)
  Severity: Medium :: 6.5
  Incorrect access control in the portal messaging system in Odoo Community
  9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers
  to post messages on behalf of customers, and to guess document
  attribute values, via crafted parameters.

# ODOO-SA-2018-08-07-4 (CVE-2018-14862)
  Severity: High :: 7.1
  Incorrect access control in the mail templating system in Odoo Community
  11.0 and earlier and Odoo Enterprise 11.0 and earlier allows
  authenticated internal users to delete arbitrary menuitems via a crafted
  RPC request.

# ODOO-SA-2018-08-07-5 (CVE-2018-14860)
  Severity: Critical :: 9.1
  Improper sanitization of dynamic user expressions in Odoo Community
  11.0 and earlier and Odoo Enterprise 11.0 and earlier allows
  authenticated privileged users to escape from the dynamic expression sandbox
  and execute arbitrary code on the hosting system.

# ODOO-SA-2018-08-07-6 (CVE-2018-14861)
  Severity: Medium:: 4.3
  Improper data access control in Odoo Community 10.0 and 11.0 and Odoo
  Enterprise 10.0 and 11.0 allows authenticated users to perform a CSV export  
  of the secure hashed passwords of other users.

# ODOO-SA-2018-08-07-7 (CVE-2018-14868)
  Severity: High:: 8.1
  Incorrect access control in the Password Encryption module in Odoo
  Community 9.0 and Odoo Enterprise 9.0 allows authenticated users to
  change the password of other users without knowing their current
  password via a crafted RPC call.

# ODOO-SA-2018-08-07-8 (CVE-2018-14863)
  Severity: High :: 8.1
  Incorrect access control in the RPC framework in Odoo Community 8.0
  through 11.0 and Odoo Enterprise 9.0 through 11.0 allows authenticated
  users to call private functions via RPC.

# ODOO-SA-2018-08-07-9 (CVE-2018-14866)
  Severity: Low :: 3.5
  Incorrect access control in the TransientModel framework in Odoo
  Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows
  authenticated attackers to access data in transient records that they
  do not own by making an RPC call before garbage collection occurs.

# ODOO-SA-2018-08-07-10 (CVE-2018-14859)
  Severity: High :: 8.1
  Incorrect access control in the password reset component in Odoo
  Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows
  authenticated users to reset the password of other users by being the first
  party to use the secure token.

# ODOO-SA-2018-08-07-11 (CVE-2018-14887)
  Severity: High :: 6.5
  Improper Host header sanitization in the dbfilter routing component in Odoo
  Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows
  a remote attacker to deny access to the service and to disclose
  database names via a crafted request.

# ODOO-SA-2018-08-07-12 (CVE-2018-14885)
  Severity: High :: 8.2
  Incorrect access control in the database manager component in Odoo
  Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows a
  remote attacker to restore a database dump without knowing the
  super-admin password. An arbitrary password succeeds.


# ODOO-SA-2018-08-07-13 (CVE-2018-14886)
  Severity: High :: 6.8
  The module-description renderer in Odoo Community 11.0 and earlier and Odoo
  Enterprise 11.0 and earlier does not disable RST's local file
  inclusion, which allows privileged authenticated users to read local
  files via a crafted module description.