PT-2019-4511 · Odoo · Odoo Community+1
Swapnesh Shah
·
Published
2019-11-19
·
Updated
2021-11-02
·
CVE-2019-11780
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Odoo Community version 13.0
Odoo Enterprise version 13.0
Description
The issue is related to improper access control in the computed fields system of the Odoo framework, allowing remote authenticated attackers to access sensitive information via crafted RPC requests. This could lead to privilege escalation. The vulnerability is also associated with errors in processing unsaved computed fields on behalf of the superuser, which can be exploited by a remote attacker to elevate their privileges in the target system by sending specially crafted RPC requests.
Recommendations
For Odoo Community version 13.0, update to a version that includes a fix for the improper access control issue in the computed fields system.
For Odoo Enterprise version 13.0, update to a version that includes a fix for the improper access control issue in the computed fields system.
As a temporary workaround, consider restricting access to the computed fields system to minimize the risk of exploitation.
Fix
Improper Privilege Management
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Odoo Community
Odoo Enterprise