Nils Hamerlinck

**Name of the Vulnerable Software and Affected Versions** Odoo Community versions prior to 15.0 Odoo Enterprise versions prior to 15.0 **Description** The issue is related to improper access control, allowing remote authenticated users to trigger the creation of demonstration data. This includes user accounts with known credentials. **Recommendations** For Odoo Community versions prior to 15.0, update to a version later than 15.0 to resolve the issue. For Odoo Enterprise versions prior to 15.0, update to a version later than 15.0 to resolve the issue. As a temporary workaround, consider restricting access to demonstration data creation functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Odoo Community versions 15.0 and earlier Odoo Enterprise versions 15.0 and earlier **Description** The issue allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link. This is a cross-site scripting (XSS) issue. **Recommendations** For Odoo Community versions 15.0 and earlier, update to a version later than 15.0 to resolve the issue. For Odoo Enterprise versions 15.0 and earlier, update to a version later than 15.0 to resolve the issue. As a temporary workaround, consider restricting access to crafted links to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Odoo Community versions 15.0 and earlier Odoo Enterprise versions 15.0 and earlier **Description** A sandboxing issue allows authenticated administrators to access and modify database contents of other tenants in a multi-tenant system. **Recommendations** For Odoo Community versions 15.0 and earlier, update to a version later than 15.0 to resolve the issue. For Odoo Enterprise versions 15.0 and earlier, update to a version later than 15.0 to resolve the issue. As a temporary workaround, consider restricting access to sensitive database contents to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Odoo Community versions 15.0 and earlier Odoo Enterprise versions 15.0 and earlier **Description** A sandboxing issue allows authenticated administrators to read and write local files on the server. **Recommendations** For Odoo Community versions 15.0 and earlier, update to a version later than 15.0 to resolve the issue. For Odoo Enterprise versions 15.0 and earlier, update to a version later than 15.0 to resolve the issue. As a temporary workaround, consider restricting access to sensitive local files on the server until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Odoo Community versions 14.0 and earlier Odoo Enterprise versions 14.0 and earlier **Description** The issue is related to improper access control in the mail module, specifically affecting channel partners. This allows remote authenticated users to subscribe to arbitrary mail channels without an invitation. **Recommendations** For Odoo Community versions 14.0 and earlier, update to a version later than 14.0 to resolve the issue. For Odoo Enterprise versions 14.0 and earlier, update to a version later than 14.0 to resolve the issue. As a temporary workaround, consider restricting access to the mail module to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Odoo Community versions 12.0 and earlier Odoo Enterprise versions 12.0 and earlier Description: The issue is related to improper access control in message routing, allowing remote authenticated users to create arbitrary records via crafted payloads. This may lead to privilege escalation. Recommendations: For Odoo Community versions 12.0 and earlier, update to a version that includes the necessary security patches to fix the improper access control issue. For Odoo Enterprise versions 12.0 and earlier, update to a version that includes the necessary security patches to fix the improper access control issue. As a temporary workaround, consider restricting access to the message routing functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Odoo Community versions 13.0 and earlier Odoo Enterprise versions 13.0 and earlier **Description** The issue is related to improper access control in the mail module (followers) of Odoo Community and Odoo Enterprise. This allows remote authenticated users to obtain access to messages posted on business records they were not given access to, and subscribe to receive future messages. **Recommendations** For Odoo Community versions 13.0 and earlier, update to a version later than 13.0 to resolve the issue. For Odoo Enterprise versions 13.0 and earlier, update to a version later than 13.0 to resolve the issue. As a temporary workaround, consider restricting access to the mail module (followers) to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Odoo Community versions 9.0 through 11.0 Odoo Enterprise versions 9.0 through 11.0 **Description** The issue is related to incorrect access control in asset bundles, allowing remote authenticated users to inject arbitrary web script via a crafted attachment. **Recommendations** For Odoo Community versions 9.0 through 11.0, update to a version that includes the fix for this issue. For Odoo Enterprise versions 9.0 through 11.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to attachment uploads to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Odoo Community version 9.0 Odoo Enterprise version 9.0 **Description** The issue is related to incorrect access control in the Password Encryption module, allowing authenticated users to change the password of other users without knowing their current password via a crafted RPC call. **Recommendations** For Odoo Community version 9.0, update the Password Encryption module to enforce proper access control. For Odoo Enterprise version 9.0, update the Password Encryption module to enforce proper access control. As a temporary workaround, consider restricting access to the Password Encryption module until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Odoo Community versions 9.0 through 10.0 Odoo Enterprise versions 9.0 through 10.0 **Description** The issue is related to incorrect access control in the portal messaging system, allowing remote attackers to post messages on behalf of customers and guess document attribute values via crafted parameters. **Recommendations** For Odoo Community versions 9.0 through 10.0, consider restricting access to the portal messaging system until a fix is available. For Odoo Enterprise versions 9.0 through 10.0, consider restricting access to the portal messaging system until a fix is available. As a temporary workaround, consider disabling the use of crafted parameters in the portal messaging system to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Odoo versions 8.x through 11.x **Description** The issue concerns a ReDoS (regular expression denial of service) vulnerability in the dbfilter from header module provided by the Odoo Community Association (OCA). This vulnerability affects Odoo under certain circumstances. **Recommendations** For Odoo versions 8.x through 11.x, consider disabling the dbfilter from header module as a temporary workaround until a patch is available. Restrict access to potentially vulnerable modules to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Odoo Community versions 11.0 and earlier Odoo Enterprise versions 11.0 and earlier **Description** The issue is related to improper Host header sanitization in the dbfilter routing component. This allows a remote attacker to deny access to the service and disclose database names via a crafted request. **Recommendations** For Odoo Community versions 11.0 and earlier, update to a version later than 11.0 to resolve the issue. For Odoo Enterprise versions 11.0 and earlier, update to a version later than 11.0 to resolve the issue. As a temporary workaround, consider restricting access to the dbfilter routing component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Odoo Community versions 9.0 through 11.0 Odoo Enterprise versions 9.0 through 11.0 **Description** The report engine in Odoo does not use secure options when passing documents to wkhtmltopdf, allowing remote attackers to read local files. **Recommendations** For Odoo Community versions 9.0 through 11.0, consider updating to a version that uses secure options when passing documents to wkhtmltopdf. For Odoo Enterprise versions 9.0 through 11.0, consider updating to a version that uses secure options when passing documents to wkhtmltopdf. As a temporary workaround, consider restricting access to the report engine until a secure version is available.

**Name of the Vulnerable Software and Affected Versions** Odoo Community versions 8.0 through 11.0 Odoo Enterprise versions 9.0 through 11.0 **Description** The issue is related to incorrect access control in the RPC framework, allowing authenticated users to call private functions via RPC. **Recommendations** For Odoo Community versions 8.0 through 11.0, update to a version that includes the fix for the incorrect access control issue. For Odoo Enterprise versions 9.0 through 11.0, update to a version that includes the fix for the incorrect access control issue.

**Name of the Vulnerable Software and Affected Versions** Odoo Community versions 11.0 and earlier Odoo Enterprise versions 11.0 and earlier **Description** The issue is related to incorrect access control in the mail templating system, allowing authenticated internal users to delete arbitrary menu items via a crafted RPC request. **Recommendations** For Odoo Community versions 11.0 and earlier, update to a version later than 11.0 to resolve the issue. For Odoo Enterprise versions 11.0 and earlier, update to a version later than 11.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Odoo Community versions 10.0 through 11.0 Odoo Enterprise versions 10.0 through 11.0 **Description** The issue is related to improper data access control, allowing authenticated users to export secure hashed passwords of other users via a CSV export. **Recommendations** For Odoo Community versions 10.0 through 11.0, update to a version that includes the necessary access control fixes to prevent unauthorized data exports. For Odoo Enterprise versions 10.0 through 11.0, apply the security patch that addresses the improper data access control to restrict authenticated users from accessing sensitive user data.

**Name of the Vulnerable Software and Affected Versions** Odoo Community versions 11.0 and earlier Odoo Enterprise versions 11.0 and earlier **Description** The issue is related to incorrect access control in the password reset component, allowing authenticated users to reset the password of other users by being the first party to use the secure token. **Recommendations** For Odoo Community versions 11.0 and earlier, update to a version later than 11.0 to resolve the issue. For Odoo Enterprise versions 11.0 and earlier, update to a version later than 11.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Odoo versions 8.0 through 10.0 **Description** The issue allows remote authenticated users to read arbitrary local files readable by the Odoo service due to a directory traversal vulnerability in `tools.file open`. **Recommendations** For Odoo versions 8.0 through 10.0, update to a version that contains a fix for this issue.