PT-2020-8541 · Odoo+1 · Odoo Community+2

Aitor Fuentes

Published

2020-12-22

Updated

2023-10-24

CVE-2018-15641

CVSS v3.1

6.3

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Odoo Community versions 11.0 through 14.0 Odoo Enterprise versions 11.0 through 14.0

Description: The issue is a cross-site scripting (XSS) problem in the web module, allowing remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes.

Recommendations: For Odoo Community versions 11.0 through 14.0, consider disabling the web module until a patch is available. For Odoo Enterprise versions 11.0 through 14.0, consider disabling the web module until a patch is available. As a temporary workaround, restrict access to crafted calendar event attributes to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2023-6595

CVE-2018-15641

Affected Products

Alt Linux

Odoo Community

Odoo Enterprise

PT-2020-8541 · Odoo+1 · Odoo Community+2

CVE-2018-15641

Weakness Enumeration

Related Identifiers

Affected Products

References · 8