cnvd - cnvd-2020-74055

cnvd-2020-74055

Vulnerability from cnvd

Title: Odoo跨站脚本漏洞（CNVD-2020-74055）

Description:

Odoo是一款开源企业管理套件,其功能涵盖了CRM、销售、采购、库存管理、生产制造、质量管理、HR全功能、财务管理、项目管理、PLM等一系列完善的企业信息化需求。

Odoo 14.0及更早版本的附件管理存在跨站脚本漏洞。远程攻击者可通过特制链接利用该漏洞将任意Web脚本注入受害者的浏览器中。

Severity: 中

Patch Name: Odoo跨站脚本漏洞（CNVD-2020-74055）的补丁

Patch Description:

Odoo 14.0及更早版本的附件管理存在跨站脚本漏洞。远程攻击者可通过特制链接利用该漏洞将任意Web脚本注入受害者的浏览器中。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://www.odoo.com/zh_CN/page/download

Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-15634

Impacted products

Name
['Odoo Odoo Community <=14.0', 'Odoo Odoo Enterprise <=14.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-15634",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2018-15634"
    }
  },
  "description": "Odoo\u662f\u4e00\u6b3e\u5f00\u6e90\u4f01\u4e1a\u7ba1\u7406\u5957\u4ef6,\u5176\u529f\u80fd\u6db5\u76d6\u4e86CRM\u3001\u9500\u552e\u3001\u91c7\u8d2d\u3001\u5e93\u5b58\u7ba1\u7406\u3001\u751f\u4ea7\u5236\u9020\u3001\u8d28\u91cf\u7ba1\u7406\u3001HR\u5168\u529f\u80fd\u3001\u8d22\u52a1\u7ba1\u7406\u3001\u9879\u76ee\u7ba1\u7406\u3001PLM\u7b49\u4e00\u7cfb\u5217\u5b8c\u5584\u7684\u4f01\u4e1a\u4fe1\u606f\u5316\u9700\u6c42\u3002\n\nOdoo 14.0\u53ca\u66f4\u65e9\u7248\u672c\u7684\u9644\u4ef6\u7ba1\u7406\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u7279\u5236\u94fe\u63a5\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u4efb\u610fWeb\u811a\u672c\u6ce8\u5165\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e2d\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.odoo.com/zh_CN/page/download",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-74055",
  "openTime": "2020-12-25",
  "patchDescription": "Odoo\u662f\u4e00\u6b3e\u5f00\u6e90\u4f01\u4e1a\u7ba1\u7406\u5957\u4ef6,\u5176\u529f\u80fd\u6db5\u76d6\u4e86CRM\u3001\u9500\u552e\u3001\u91c7\u8d2d\u3001\u5e93\u5b58\u7ba1\u7406\u3001\u751f\u4ea7\u5236\u9020\u3001\u8d28\u91cf\u7ba1\u7406\u3001HR\u5168\u529f\u80fd\u3001\u8d22\u52a1\u7ba1\u7406\u3001\u9879\u76ee\u7ba1\u7406\u3001PLM\u7b49\u4e00\u7cfb\u5217\u5b8c\u5584\u7684\u4f01\u4e1a\u4fe1\u606f\u5316\u9700\u6c42\u3002\r\n\r\nOdoo 14.0\u53ca\u66f4\u65e9\u7248\u672c\u7684\u9644\u4ef6\u7ba1\u7406\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u7279\u5236\u94fe\u63a5\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u4efb\u610fWeb\u811a\u672c\u6ce8\u5165\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e2d\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Odoo\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-74055\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Odoo Odoo Community \u003c=14.0",
      "Odoo Odoo Enterprise \u003c=14.0"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2018-15634",
  "serverity": "\u4e2d",
  "submitTime": "2020-12-23",
  "title": "Odoo\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-74055\uff09"
}

CVE-2018-15634 (GCVE-0-2018-15634)

Vulnerability from cvelistv5

Published

2020-12-22 16:25

Modified

2024-08-05 10:01

Severity ?

7.1 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CWE

CWE-79 - Cross-site Scripting (XSS)

Summary

Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link.

References

▼	URL	Tags
	https://github.com/odoo/odoo/issues/63702	x_refsource_MISC

Impacted products

Vendor

Product

Version

▼

Odoo

Odoo Community

Version: unspecified <

Odoo

Odoo Enterprise

Version: unspecified <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T10:01:54.274Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/odoo/odoo/issues/63702"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Odoo Community",
          "vendor": "Odoo",
          "versions": [
            {
              "lessThanOrEqual": "14.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Odoo Enterprise",
          "vendor": "Odoo",
          "versions": [
            {
              "lessThanOrEqual": "14.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Nathanael ROTA (Capgemini)"
        },
        {
          "lang": "en",
          "value": "Alessandro Innocenti"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-22T16:25:33",
        "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "shortName": "odoo"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/odoo/odoo/issues/63702"
        }
      ],
      "source": {
        "advisory": "ODOO-SA-2020-12-02",
        "discovery": "EXTERNAL"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@odoo.com",
          "ID": "CVE-2018-15634",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Odoo Community",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "14.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Odoo Enterprise",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "14.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Odoo"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Nathanael ROTA (Capgemini)"
          },
          {
            "lang": "eng",
            "value": "Alessandro Innocenti"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": " CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79 Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/odoo/odoo/issues/63702",
              "refsource": "MISC",
              "url": "https://github.com/odoo/odoo/issues/63702"
            }
          ]
        },
        "source": {
          "advisory": "ODOO-SA-2020-12-02",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
    "assignerShortName": "odoo",
    "cveId": "CVE-2018-15634",
    "datePublished": "2020-12-22T16:25:33",
    "dateReserved": "2018-08-21T00:00:00",
    "dateUpdated": "2024-08-05T10:01:54.274Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted