Source: odoo X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for odoo. CVE-2021-23166[0]: | A sandboxing issue in Odoo Community 15.0 and earlier and Odoo | Enterprise 15.0 and earlier allows authenticated administrators to | read and write local files on the server. CVE-2021-23176[1]: | Improper access control in reporting engine of l10n_fr_fec module in | Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier | allows remote authenticated users to extract accounting information | via crafted RPC packets. CVE-2021-23178[2]: | Improper access control in Odoo Community 15.0 and earlier and Odoo | Enterprise 15.0 and earlier allows attackers to validate online | payments with a tokenized payment method that belongs to another user, | causing the victim's payment method to be charged instead. CVE-2021-23186[3]: | A sandboxing issue in Odoo Community 15.0 and earlier and Odoo | Enterprise 15.0 and earlier allows authenticated administrators to | access and modify database contents of other tenants, in a multi- | tenant system. CVE-2021-23203[4]: | Improper access control in reporting engine of Odoo Community 14.0 | through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote | attackers to download PDF reports for arbitrary documents, via crafted | requests. CVE-2021-26263[5]: | Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 | through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote | attackers to inject arbitrary web script in the browser of a victim, | by posting crafted contents. CVE-2021-26947[6]: | Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and | Odoo Enterprise 15.0 and earlier, allows remote attackers to inject | arbitrary web script in the browser of a victim, via a crafted link. CVE-2021-44476[7]: | A sandboxing issue in Odoo Community 15.0 and earlier and Odoo | Enterprise 15.0 and earlier allows authenticated administrators to | read local files on the server, including sensitive configuration | files. CVE-2021-44775[8]: | Cross-site scripting (XSS) issue in Website app of Odoo Community 15.0 | and earlier and Odoo Enterprise 15.0 and earlier, allows remote | attackers to inject arbitrary web script in the browser of a victim, | by posting crafted contents. CVE-2021-45071[9]: | Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and | Odoo Enterprise 15.0 and earlier, allows remote attackers to inject | arbitrary web script in the browser of a victim, via crafted uploaded | file names. CVE-2021-45111[10]: | Improper access control in Odoo Community 15.0 and earlier and Odoo | Enterprise 15.0 and earlier allows remote authenticated users to | trigger the creation of demonstration data, including user accounts | with known credentials. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-23166 https://www.cve.org/CVERecord?id=CVE-2021-23166 [1] https://security-tracker.debian.org/tracker/CVE-2021-23176 https://www.cve.org/CVERecord?id=CVE-2021-23176 [2] https://security-tracker.debian.org/tracker/CVE-2021-23178 https://www.cve.org/CVERecord?id=CVE-2021-23178 [3] https://security-tracker.debian.org/tracker/CVE-2021-23186 https://www.cve.org/CVERecord?id=CVE-2021-23186 [4] https://security-tracker.debian.org/tracker/CVE-2021-23203 https://www.cve.org/CVERecord?id=CVE-2021-23203 [5] https://security-tracker.debian.org/tracker/CVE-2021-26263 https://www.cve.org/CVERecord?id=CVE-2021-26263 [6] https://security-tracker.debian.org/tracker/CVE-2021-26947 https://www.cve.org/CVERecord?id=CVE-2021-26947 [7] https://security-tracker.debian.org/tracker/CVE-2021-44476 https://www.cve.org/CVERecord?id=CVE-2021-44476 [8] https://security-tracker.debian.org/tracker/CVE-2021-44775 https://www.cve.org/CVERecord?id=CVE-2021-44775 [9] https://security-tracker.debian.org/tracker/CVE-2021-45071 https://www.cve.org/CVERecord?id=CVE-2021-45071 [10] https://security-tracker.debian.org/tracker/CVE-2021-45111 https://www.cve.org/CVERecord?id=CVE-2021-45111 Please adjust the affected versions in the BTS as needed.