Odoo · Odoo Community · CVE-2018-15641
Name of the Vulnerable Software and Affected Versions:
Odoo Community versions 11.0 through 14.0
Odoo Enterprise versions 11.0 through 14.0
Description:
The issue is a cross-site scripting (XSS) problem in the web module, allowing remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes.
Recommendations:
For Odoo Community versions 11.0 through 14.0, consider disabling the web module until a patch is available.
For Odoo Enterprise versions 11.0 through 14.0, consider disabling the web module until a patch is available.
As a temporary workaround, restrict access to crafted calendar event attributes to minimize the risk of exploitation.