Debian Bug report logs -
#1035953
odoo: CVE-2021-23166 CVE-2021-23176 CVE-2021-23178 CVE-2021-23186 CVE-2021-23203 CVE-2021-26263 CVE-2021-26947 CVE-2021-44476 CVE-2021-44775 CVE-2021-45071 CVE-2021-45111
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Freexian Packaging Team <team+freexian@tracker.debian.org>:
Bug#1035953; Package src:odoo.
(Thu, 11 May 2023 15:45:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Freexian Packaging Team <team+freexian@tracker.debian.org>.
(Thu, 11 May 2023 15:45:10 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: odoo
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for odoo.
CVE-2021-23166[0]:
| A sandboxing issue in Odoo Community 15.0 and earlier and Odoo
| Enterprise 15.0 and earlier allows authenticated administrators to
| read and write local files on the server.
CVE-2021-23176[1]:
| Improper access control in reporting engine of l10n_fr_fec module in
| Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier
| allows remote authenticated users to extract accounting information
| via crafted RPC packets.
CVE-2021-23178[2]:
| Improper access control in Odoo Community 15.0 and earlier and Odoo
| Enterprise 15.0 and earlier allows attackers to validate online
| payments with a tokenized payment method that belongs to another user,
| causing the victim's payment method to be charged instead.
CVE-2021-23186[3]:
| A sandboxing issue in Odoo Community 15.0 and earlier and Odoo
| Enterprise 15.0 and earlier allows authenticated administrators to
| access and modify database contents of other tenants, in a multi-
| tenant system.
CVE-2021-23203[4]:
| Improper access control in reporting engine of Odoo Community 14.0
| through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote
| attackers to download PDF reports for arbitrary documents, via crafted
| requests.
CVE-2021-26263[5]:
| Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0
| through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote
| attackers to inject arbitrary web script in the browser of a victim,
| by posting crafted contents.
CVE-2021-26947[6]:
| Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and
| Odoo Enterprise 15.0 and earlier, allows remote attackers to inject
| arbitrary web script in the browser of a victim, via a crafted link.
CVE-2021-44476[7]:
| A sandboxing issue in Odoo Community 15.0 and earlier and Odoo
| Enterprise 15.0 and earlier allows authenticated administrators to
| read local files on the server, including sensitive configuration
| files.
CVE-2021-44775[8]:
| Cross-site scripting (XSS) issue in Website app of Odoo Community 15.0
| and earlier and Odoo Enterprise 15.0 and earlier, allows remote
| attackers to inject arbitrary web script in the browser of a victim,
| by posting crafted contents.
CVE-2021-45071[9]:
| Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and
| Odoo Enterprise 15.0 and earlier, allows remote attackers to inject
| arbitrary web script in the browser of a victim, via crafted uploaded
| file names.
CVE-2021-45111[10]:
| Improper access control in Odoo Community 15.0 and earlier and Odoo
| Enterprise 15.0 and earlier allows remote authenticated users to
| trigger the creation of demonstration data, including user accounts
| with known credentials.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-23166
https://www.cve.org/CVERecord?id=CVE-2021-23166
[1] https://security-tracker.debian.org/tracker/CVE-2021-23176
https://www.cve.org/CVERecord?id=CVE-2021-23176
[2] https://security-tracker.debian.org/tracker/CVE-2021-23178
https://www.cve.org/CVERecord?id=CVE-2021-23178
[3] https://security-tracker.debian.org/tracker/CVE-2021-23186
https://www.cve.org/CVERecord?id=CVE-2021-23186
[4] https://security-tracker.debian.org/tracker/CVE-2021-23203
https://www.cve.org/CVERecord?id=CVE-2021-23203
[5] https://security-tracker.debian.org/tracker/CVE-2021-26263
https://www.cve.org/CVERecord?id=CVE-2021-26263
[6] https://security-tracker.debian.org/tracker/CVE-2021-26947
https://www.cve.org/CVERecord?id=CVE-2021-26947
[7] https://security-tracker.debian.org/tracker/CVE-2021-44476
https://www.cve.org/CVERecord?id=CVE-2021-44476
[8] https://security-tracker.debian.org/tracker/CVE-2021-44775
https://www.cve.org/CVERecord?id=CVE-2021-44775
[9] https://security-tracker.debian.org/tracker/CVE-2021-45071
https://www.cve.org/CVERecord?id=CVE-2021-45071
[10] https://security-tracker.debian.org/tracker/CVE-2021-45111
https://www.cve.org/CVERecord?id=CVE-2021-45111
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 11 May 2023 18:27:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri May 12 13:12:34 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon