cnvd - cnvd-2020-74056

cnvd-2020-74056

Vulnerability from cnvd

Title: Odoo跨站脚本漏洞（CNVD-2020-74056）

Description:

Odoo是一款开源企业管理套件,其功能涵盖了CRM、销售、采购、库存管理、生产制造、质量管理、HR全功能、财务管理、项目管理、PLM等一系列完善的企业信息化需求。

Odoo 13.0及更早版本的邮件模块存在跨站脚本漏洞。远程攻击者可通过特制渠道名称利用该漏洞将任意Web脚本注入受害者的浏览器中。

Severity: 低

Patch Name: Odoo跨站脚本漏洞（CNVD-2020-74056）的补丁

Patch Description:

Odoo 13.0及更早版本的邮件模块存在跨站脚本漏洞。远程攻击者可通过特制渠道名称利用该漏洞将任意Web脚本注入受害者的浏览器中。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://www.odoo.com/zh_CN/page/download

Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-15638

Impacted products

Name
['Odoo Odoo Community <=13.0', 'Odoo Odoo Enterprise <=13.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-15638",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2018-15638"
    }
  },
  "description": "Odoo\u662f\u4e00\u6b3e\u5f00\u6e90\u4f01\u4e1a\u7ba1\u7406\u5957\u4ef6,\u5176\u529f\u80fd\u6db5\u76d6\u4e86CRM\u3001\u9500\u552e\u3001\u91c7\u8d2d\u3001\u5e93\u5b58\u7ba1\u7406\u3001\u751f\u4ea7\u5236\u9020\u3001\u8d28\u91cf\u7ba1\u7406\u3001HR\u5168\u529f\u80fd\u3001\u8d22\u52a1\u7ba1\u7406\u3001\u9879\u76ee\u7ba1\u7406\u3001PLM\u7b49\u4e00\u7cfb\u5217\u5b8c\u5584\u7684\u4f01\u4e1a\u4fe1\u606f\u5316\u9700\u6c42\u3002\n\nOdoo 13.0\u53ca\u66f4\u65e9\u7248\u672c\u7684\u90ae\u4ef6\u6a21\u5757\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u7279\u5236\u6e20\u9053\u540d\u79f0\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u4efb\u610fWeb\u811a\u672c\u6ce8\u5165\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e2d\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.odoo.com/zh_CN/page/download",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-74056",
  "openTime": "2020-12-25",
  "patchDescription": "Odoo\u662f\u4e00\u6b3e\u5f00\u6e90\u4f01\u4e1a\u7ba1\u7406\u5957\u4ef6,\u5176\u529f\u80fd\u6db5\u76d6\u4e86CRM\u3001\u9500\u552e\u3001\u91c7\u8d2d\u3001\u5e93\u5b58\u7ba1\u7406\u3001\u751f\u4ea7\u5236\u9020\u3001\u8d28\u91cf\u7ba1\u7406\u3001HR\u5168\u529f\u80fd\u3001\u8d22\u52a1\u7ba1\u7406\u3001\u9879\u76ee\u7ba1\u7406\u3001PLM\u7b49\u4e00\u7cfb\u5217\u5b8c\u5584\u7684\u4f01\u4e1a\u4fe1\u606f\u5316\u9700\u6c42\u3002\r\n\r\nOdoo 13.0\u53ca\u66f4\u65e9\u7248\u672c\u7684\u90ae\u4ef6\u6a21\u5757\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u7279\u5236\u6e20\u9053\u540d\u79f0\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u4efb\u610fWeb\u811a\u672c\u6ce8\u5165\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e2d\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Odoo\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-74056\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Odoo Odoo Community \u003c=13.0",
      "Odoo Odoo Enterprise \u003c=13.0"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2018-15638",
  "serverity": "\u4f4e",
  "submitTime": "2020-12-23",
  "title": "Odoo\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-74056\uff09"
}

CVE-2018-15638 (GCVE-0-2018-15638)

Vulnerability from cvelistv5

Published

2020-12-22 16:25

Modified

2024-08-05 10:01

Severity ?

7.1 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CWE

CWE-79 - Cross-site Scripting (XSS)

Summary

Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names.

References

▼	URL	Tags
	https://github.com/odoo/odoo/issues/63703	x_refsource_MISC

Impacted products

Vendor

Product

Version

▼

Odoo

Odoo Community

Version: unspecified <

Odoo

Odoo Enterprise

Version: unspecified <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T10:01:54.270Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/odoo/odoo/issues/63703"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Odoo Community",
          "vendor": "Odoo",
          "versions": [
            {
              "lessThanOrEqual": "13.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Odoo Enterprise",
          "vendor": "Odoo",
          "versions": [
            {
              "lessThanOrEqual": "13.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Subash SN and Bharath Kumar (Appsecco)"
        },
        {
          "lang": "en",
          "value": "Dipanshu Agrawal"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-22T16:25:33",
        "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "shortName": "odoo"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/odoo/odoo/issues/63703"
        }
      ],
      "source": {
        "advisory": "ODOO-SA-2020-12-02",
        "discovery": "EXTERNAL"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@odoo.com",
          "ID": "CVE-2018-15638",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Odoo Community",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "13.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Odoo Enterprise",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "13.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Odoo"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Subash SN and Bharath Kumar (Appsecco)"
          },
          {
            "lang": "eng",
            "value": "Dipanshu Agrawal"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79 Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/odoo/odoo/issues/63703",
              "refsource": "MISC",
              "url": "https://github.com/odoo/odoo/issues/63703"
            }
          ]
        },
        "source": {
          "advisory": "ODOO-SA-2020-12-02",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
    "assignerShortName": "odoo",
    "cveId": "CVE-2018-15638",
    "datePublished": "2020-12-22T16:25:33",
    "dateReserved": "2018-08-21T00:00:00",
    "dateUpdated": "2024-08-05T10:01:54.270Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted