Search

Find a vulnerability

Search criteria

    68 vulnerabilities found for Odoo Enterprise by Odoo

    CVE-2024-36259 (GCVE-0-2024-36259)

    Vulnerability from nvd – Published: 2025-02-25 19:10 – Updated: 2025-02-25 19:39
    VLAI
    Summary
    Improper access control in mail module of Odoo Community 17.0 and Odoo Enterprise 17.0 allows remote authenticated attackers to extract sensitive information via an oracle-based (yes/no response) crafted attack.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: master , ≤ 17.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: master , ≤ 17.0 (semver)
    Create a notification for this product.
    Credits
    Bram Van Gaal
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-36259",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-25T19:39:08.861853Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-25T19:39:18.179Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "17.0",
                  "status": "affected",
                  "version": "master",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "17.0",
                  "status": "affected",
                  "version": "master",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Bram Van Gaal"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control in mail module of Odoo Community 17.0 and Odoo Enterprise 17.0 allows remote authenticated attackers to extract sensitive information via an oracle-based (yes/no response) crafted attack."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-25T19:13:48.034Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/199330"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2024-36259",
        "datePublished": "2025-02-25T19:10:40.570Z",
        "dateReserved": "2024-09-16T13:17:54.071Z",
        "dateUpdated": "2025-02-25T19:39:18.179Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-12368 (GCVE-0-2024-12368)

    Vulnerability from nvd – Published: 2025-02-25 18:10 – Updated: 2025-02-25 18:59
    VLAI
    Summary
    Improper access control in the auth_oauth module of Odoo Community 15.0 and Odoo Enterprise 15.0 allows an internal user to export the OAuth tokens of other users.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Credits
    Rafael Fedler
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12368",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-25T18:59:24.643196Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-25T18:59:46.305Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "status": "affected",
                  "version": "15.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "status": "affected",
                  "version": "15.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Rafael Fedler"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control in the auth_oauth module of Odoo Community 15.0 and Odoo Enterprise 15.0 allows an internal user to export the OAuth tokens of other users."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-25T18:51:23.708Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/193854"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2024-12368",
        "datePublished": "2025-02-25T18:10:12.109Z",
        "dateReserved": "2024-12-09T14:40:14.799Z",
        "dateUpdated": "2025-02-25T18:59:46.305Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-45111 (GCVE-0-2021-45111)

    Vulnerability from nvd – Published: 2023-04-25 18:33 – Updated: 2024-08-04 04:39
    VLAI
    Summary
    Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Credits
    Nils Hamerlinck Yenthe Van Ginneken
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-45111",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-16T13:41:04.565422Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-16T13:41:21.387Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:39:20.253Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107683"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5399"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Nils Hamerlinck"
            },
            {
              "lang": "eng",
              "type": "finder",
              "value": "Yenthe Van Ginneken"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107683"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5399"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-45111",
        "datePublished": "2023-04-25T18:33:00.392Z",
        "dateReserved": "2021-12-27T06:14:42.059Z",
        "dateUpdated": "2024-08-04T04:39:20.253Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-45071 (GCVE-0-2021-45071)

    Vulnerability from nvd – Published: 2023-04-25 18:29 – Updated: 2024-08-04 04:32
    VLAI
    Summary
    Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via crafted uploaded file names.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Credits
    Lauri Vakkala Anıl Yüksel Agustin Maio Johannes Moritz
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-45071",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-17T20:57:21.835919Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-17T20:57:39.519Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:32:13.508Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107697"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5399"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Lauri Vakkala"
            },
            {
              "lang": "eng",
              "type": "finder",
              "value": "An\u0131l Y\u00fcksel"
            },
            {
              "lang": "eng",
              "type": "finder",
              "value": "Agustin Maio"
            },
            {
              "lang": "eng",
              "type": "finder",
              "value": "Johannes Moritz"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via crafted uploaded file names."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107697"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5399"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-45071",
        "datePublished": "2023-04-25T18:29:52.108Z",
        "dateReserved": "2021-12-27T06:22:26.008Z",
        "dateUpdated": "2024-08-04T04:32:13.508Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-44775 (GCVE-0-2021-44775)

    Vulnerability from nvd – Published: 2023-04-25 18:33 – Updated: 2024-08-04 04:32
    VLAI
    Summary
    Cross-site scripting (XSS) issue in Website app of Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Credits
    Holger Brunn
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-44775",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-15T13:57:10.321947Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-15T13:57:17.113Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:32:13.292Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107691"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5399"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Holger Brunn"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) issue in Website app of Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107691"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5399"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-44775",
        "datePublished": "2023-04-25T18:33:38.887Z",
        "dateReserved": "2021-12-28T11:57:09.384Z",
        "dateUpdated": "2024-08-04T04:32:13.292Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-44547 (GCVE-0-2021-44547)

    Vulnerability from nvd – Published: 2023-04-25 18:33 – Updated: 2024-08-04 04:25
    VLAI
    Summary
    A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0 allows authenticated administrators to executed arbitrary code, leading to privilege escalation.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-267 - Privilege Defined With Unsafe Actions
    Assigner
    References
    Impacted products
    Credits
    Stephane Debauche
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-44547",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-15T16:25:59.608086Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-15T16:26:11.050Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:25:16.862Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107696"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "status": "affected",
                  "version": "15.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "status": "affected",
                  "version": "15.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Stephane Debauche"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0 allows authenticated administrators to executed arbitrary code, leading to privilege escalation."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-267",
                  "description": "Privilege Defined With Unsafe Actions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107696"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-44547",
        "datePublished": "2023-04-25T18:33:42.884Z",
        "dateReserved": "2021-12-27T06:22:26.001Z",
        "dateUpdated": "2024-08-04T04:25:16.862Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-44476 (GCVE-0-2021-44476)

    Vulnerability from nvd – Published: 2023-04-25 18:33 – Updated: 2025-02-03 19:33
    VLAI
    Summary
    A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read local files on the server, including sensitive configuration files.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-267 - Privilege Defined With Unsafe Actions
    Assigner
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Credits
    Toufik Ben Jaa
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:25:16.573Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107684"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5399"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-44476",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-03T19:33:46.207981Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-03T19:33:55.804Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Toufik Ben Jaa"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read local files on the server, including sensitive configuration files."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-267",
                  "description": "Privilege Defined With Unsafe Actions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107684"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5399"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-44476",
        "datePublished": "2023-04-25T18:33:32.237Z",
        "dateReserved": "2021-12-27T06:14:42.065Z",
        "dateUpdated": "2025-02-03T19:33:55.804Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-44465 (GCVE-0-2021-44465)

    Vulnerability from nvd – Published: 2023-04-25 18:33 – Updated: 2025-02-03 17:16
    VLAI
    Summary
    Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 0 , ≤ 13.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 0 , ≤ 13.0 (semver)
    Create a notification for this product.
    Credits
    Swapnesh Shah
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:25:16.836Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107692"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-44465",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-03T17:15:33.343989Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-863",
                    "description": "CWE-863 Incorrect Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-03T17:16:04.447Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "13.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "13.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Swapnesh Shah"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107692"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-44465",
        "datePublished": "2023-04-25T18:33:39.776Z",
        "dateReserved": "2021-12-28T11:57:09.374Z",
        "dateUpdated": "2025-02-03T17:16:04.447Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-44461 (GCVE-0-2021-44461)

    Vulnerability from nvd – Published: 2023-04-25 18:33 – Updated: 2024-08-04 04:25
    VLAI
    Summary
    Cross-site scripting (XSS) issue in Accounting app of Odoo Enterprise 13.0 through 15.0, allows remote attackers who are able to control the contents of accounting journal entries to inject arbitrary web script in the browser of a victim.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Odoo Odoo Enterprise Affected: 13.0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-44461",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-15T14:56:19.460796Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-15T14:56:28.883Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:25:16.399Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107686"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "13.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) issue in Accounting app of Odoo Enterprise 13.0 through 15.0, allows remote attackers who are able to control the contents of accounting journal entries to inject arbitrary web script in the browser of a victim."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107686"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-44461",
        "datePublished": "2023-04-25T18:33:34.490Z",
        "dateReserved": "2021-12-27T06:17:50.969Z",
        "dateUpdated": "2024-08-04T04:25:16.399Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-44460 (GCVE-0-2021-44460)

    Vulnerability from nvd – Published: 2023-04-25 18:33 – Updated: 2024-08-04 04:25
    VLAI
    Summary
    Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows users with deactivated accounts to access the system with the deactivated account and any permission it still holds, via crafted RPC requests.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 0 , ≤ 13.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 0 , ≤ 13.0 (semver)
    Create a notification for this product.
    Credits
    Xavier Morel
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-44460",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-15T13:23:44.267561Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-15T20:32:56.009Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:25:16.420Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107685"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "13.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "13.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Xavier Morel"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows users with deactivated accounts to access the system with the deactivated account and any permission it still holds, via crafted RPC requests."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107685"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-44460",
        "datePublished": "2023-04-25T18:33:33.360Z",
        "dateReserved": "2021-12-27T06:17:50.956Z",
        "dateUpdated": "2024-08-04T04:25:16.420Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26947 (GCVE-0-2021-26947)

    Vulnerability from nvd – Published: 2023-04-25 18:33 – Updated: 2024-08-03 20:33
    VLAI
    Summary
    Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via a crafted link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Credits
    Nils Hamerlinck Andreas Perhab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-26947",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-15T15:39:58.913170Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-16T13:31:53.667Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:33:41.300Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107694"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5399"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Nils Hamerlinck"
            },
            {
              "lang": "eng",
              "type": "finder",
              "value": "Andreas Perhab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via a crafted link."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107694"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5399"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-26947",
        "datePublished": "2023-04-25T18:33:41.553Z",
        "dateReserved": "2021-12-27T06:22:25.995Z",
        "dateUpdated": "2024-08-03T20:33:41.300Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26263 (GCVE-0-2021-26263)

    Vulnerability from nvd – Published: 2023-04-25 18:33 – Updated: 2024-08-03 20:19
    VLAI
    Summary
    Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 14.0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 14.0 , ≤ 15.0 (semver)
    Create a notification for this product.
    odoo odoo_community Affected: 14.0 , ≤ 15.0 (custom)
        cpe:2.3:a:odoo:odoo_community:14.0:*:*:*:*:*:*:*
    Create a notification for this product.
    odoo odoo_enterprise Affected: 14.0 , ≤ 15.0 (custom)
        cpe:2.3:a:odoo:odoo_enterprise:14.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Theodoros Malachias iamsushi Ranjit Pahan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:odoo:odoo_community:14.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "odoo_community",
                "vendor": "odoo",
                "versions": [
                  {
                    "lessThanOrEqual": "15.0",
                    "status": "affected",
                    "version": "14.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:odoo:odoo_enterprise:14.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "odoo_enterprise",
                "vendor": "odoo",
                "versions": [
                  {
                    "lessThanOrEqual": "15.0",
                    "status": "affected",
                    "version": "14.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-26263",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-15T14:49:47.368802Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-15T14:56:17.565Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:19:20.148Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107693"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5399"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "14.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "14.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Theodoros Malachias"
            },
            {
              "lang": "eng",
              "type": "finder",
              "value": "iamsushi"
            },
            {
              "lang": "eng",
              "type": "finder",
              "value": "Ranjit Pahan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107693"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5399"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-26263",
        "datePublished": "2023-04-25T18:33:40.613Z",
        "dateReserved": "2021-07-20T14:28:12.183Z",
        "dateUpdated": "2024-08-03T20:19:20.148Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23203 (GCVE-0-2021-23203)

    Vulnerability from nvd – Published: 2023-04-25 18:35 – Updated: 2025-02-03 17:14
    VLAI
    Summary
    Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 14.0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 14.0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Credits
    Tiffany Chang iamsushi Ranjit Pahan Iago Ruiz
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:55.598Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107695"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5399"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-23203",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-03T17:13:00.406283Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-863",
                    "description": "CWE-863 Incorrect Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-03T17:14:04.331Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "14.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "14.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Tiffany Chang"
            },
            {
              "lang": "eng",
              "type": "finder",
              "value": "iamsushi"
            },
            {
              "lang": "eng",
              "type": "finder",
              "value": "Ranjit Pahan"
            },
            {
              "lang": "eng",
              "type": "finder",
              "value": "Iago Ruiz"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107695"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5399"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-23203",
        "datePublished": "2023-04-25T18:35:38.489Z",
        "dateReserved": "2021-07-20T14:28:12.189Z",
        "dateUpdated": "2025-02-03T17:14:04.331Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23186 (GCVE-0-2021-23186)

    Vulnerability from nvd – Published: 2023-04-25 18:33 – Updated: 2024-08-03 19:05
    VLAI
    Summary
    A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-267 - Privilege Defined With Unsafe Actions
    Assigner
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    odoo odoo_community Affected: 0 , < 15.0 (semver)
        cpe:2.3:a:odoo:odoo_community:*:*:*:*:*:*:*:*
    Create a notification for this product.
    odoo odoo_enterprise Affected: 0 , < 15.0 (semver)
        cpe:2.3:a:odoo:odoo_enterprise:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Nils Hamerlinck
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:odoo:odoo_community:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "odoo_community",
                "vendor": "odoo",
                "versions": [
                  {
                    "lessThan": "15.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:odoo:odoo_enterprise:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "odoo_enterprise",
                "vendor": "odoo",
                "versions": [
                  {
                    "lessThan": "15.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-23186",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-17T20:54:45.816025Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-17T20:57:01.095Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:53.896Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107688"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5399"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Nils Hamerlinck"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-267",
                  "description": "Privilege Defined With Unsafe Actions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107688"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5399"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-23186",
        "datePublished": "2023-04-25T18:33:36.536Z",
        "dateReserved": "2021-12-27T06:19:18.852Z",
        "dateUpdated": "2024-08-03T19:05:53.896Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23178 (GCVE-0-2021-23178)

    Vulnerability from nvd – Published: 2023-04-25 18:33 – Updated: 2024-08-03 19:05
    VLAI
    Summary
    Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows attackers to validate online payments with a tokenized payment method that belongs to another user, causing the victim's payment method to be charged instead.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    odoo odoo_community Affected: 0 , ≤ 15.0 (custom)
        cpe:2.3:a:odoo:odoo_community:*:*:*:*:*:*:*:*
    Create a notification for this product.
    odoo odoo_enterprise Affected: 0 , ≤ 15.0 (custom)
        cpe:2.3:a:odoo:odoo_enterprise:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Parth Gajjar
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:odoo:odoo_community:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "odoo_community",
                "vendor": "odoo",
                "versions": [
                  {
                    "lessThanOrEqual": "15.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:odoo:odoo_enterprise:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "odoo_enterprise",
                "vendor": "odoo",
                "versions": [
                  {
                    "lessThanOrEqual": "15.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-23178",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-15T13:46:25.204237Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-15T13:48:33.754Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:53.926Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107690"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5399"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Parth Gajjar"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows attackers to validate online payments with a tokenized payment method that belongs to another user, causing the victim\u0027s payment method to be charged instead."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107690"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5399"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-23178",
        "datePublished": "2023-04-25T18:33:37.875Z",
        "dateReserved": "2021-12-27T06:19:18.867Z",
        "dateUpdated": "2024-08-03T19:05:53.926Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23176 (GCVE-0-2021-23176)

    Vulnerability from nvd – Published: 2023-04-25 18:32 – Updated: 2024-08-03 19:05
    VLAI
    Summary
    Improper access control in reporting engine of l10n_fr_fec module in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to extract accounting information via crafted RPC packets.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Credits
    Florent Mirieu de Labarre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-23176",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-15T15:55:28.408420Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-15T15:55:44.921Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:54.464Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107682"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5399"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Florent Mirieu de Labarre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control in reporting engine of l10n_fr_fec module in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to extract accounting information via crafted RPC packets."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107682"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5399"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-23176",
        "datePublished": "2023-04-25T18:32:31.407Z",
        "dateReserved": "2021-12-27T06:14:42.052Z",
        "dateUpdated": "2024-08-03T19:05:54.464Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23166 (GCVE-0-2021-23166)

    Vulnerability from nvd – Published: 2023-04-25 18:33 – Updated: 2025-02-03 17:19
    VLAI
    Summary
    A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-267 - Privilege Defined With Unsafe Actions
    • CWE-276 - Incorrect Default Permissions
    Assigner
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Credits
    Nils Hamerlinck
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:55.305Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107687"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5399"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.7,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "CHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-23166",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-03T17:16:56.975334Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-276",
                    "description": "CWE-276 Incorrect Default Permissions",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-03T17:19:21.242Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Nils Hamerlinck"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-267",
                  "description": "Privilege Defined With Unsafe Actions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107687"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5399"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-23166",
        "datePublished": "2023-04-25T18:33:35.417Z",
        "dateReserved": "2021-12-27T06:17:50.974Z",
        "dateUpdated": "2025-02-03T17:19:21.242Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-36259 (GCVE-0-2024-36259)

    Vulnerability from cvelistv5 – Published: 2025-02-25 19:10 – Updated: 2025-02-25 19:39
    VLAI
    Summary
    Improper access control in mail module of Odoo Community 17.0 and Odoo Enterprise 17.0 allows remote authenticated attackers to extract sensitive information via an oracle-based (yes/no response) crafted attack.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: master , ≤ 17.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: master , ≤ 17.0 (semver)
    Create a notification for this product.
    Credits
    Bram Van Gaal
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-36259",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-25T19:39:08.861853Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-25T19:39:18.179Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "17.0",
                  "status": "affected",
                  "version": "master",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "17.0",
                  "status": "affected",
                  "version": "master",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Bram Van Gaal"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control in mail module of Odoo Community 17.0 and Odoo Enterprise 17.0 allows remote authenticated attackers to extract sensitive information via an oracle-based (yes/no response) crafted attack."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-25T19:13:48.034Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/199330"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2024-36259",
        "datePublished": "2025-02-25T19:10:40.570Z",
        "dateReserved": "2024-09-16T13:17:54.071Z",
        "dateUpdated": "2025-02-25T19:39:18.179Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-12368 (GCVE-0-2024-12368)

    Vulnerability from cvelistv5 – Published: 2025-02-25 18:10 – Updated: 2025-02-25 18:59
    VLAI
    Summary
    Improper access control in the auth_oauth module of Odoo Community 15.0 and Odoo Enterprise 15.0 allows an internal user to export the OAuth tokens of other users.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Credits
    Rafael Fedler
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12368",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-25T18:59:24.643196Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-25T18:59:46.305Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "status": "affected",
                  "version": "15.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "status": "affected",
                  "version": "15.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Rafael Fedler"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control in the auth_oauth module of Odoo Community 15.0 and Odoo Enterprise 15.0 allows an internal user to export the OAuth tokens of other users."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-25T18:51:23.708Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/193854"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2024-12368",
        "datePublished": "2025-02-25T18:10:12.109Z",
        "dateReserved": "2024-12-09T14:40:14.799Z",
        "dateUpdated": "2025-02-25T18:59:46.305Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23203 (GCVE-0-2021-23203)

    Vulnerability from cvelistv5 – Published: 2023-04-25 18:35 – Updated: 2025-02-03 17:14
    VLAI
    Summary
    Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 14.0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 14.0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Credits
    Tiffany Chang iamsushi Ranjit Pahan Iago Ruiz
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:55.598Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107695"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5399"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-23203",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-03T17:13:00.406283Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-863",
                    "description": "CWE-863 Incorrect Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-03T17:14:04.331Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "14.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "14.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Tiffany Chang"
            },
            {
              "lang": "eng",
              "type": "finder",
              "value": "iamsushi"
            },
            {
              "lang": "eng",
              "type": "finder",
              "value": "Ranjit Pahan"
            },
            {
              "lang": "eng",
              "type": "finder",
              "value": "Iago Ruiz"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107695"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5399"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-23203",
        "datePublished": "2023-04-25T18:35:38.489Z",
        "dateReserved": "2021-07-20T14:28:12.189Z",
        "dateUpdated": "2025-02-03T17:14:04.331Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-44547 (GCVE-0-2021-44547)

    Vulnerability from cvelistv5 – Published: 2023-04-25 18:33 – Updated: 2024-08-04 04:25
    VLAI
    Summary
    A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0 allows authenticated administrators to executed arbitrary code, leading to privilege escalation.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-267 - Privilege Defined With Unsafe Actions
    Assigner
    References
    Impacted products
    Credits
    Stephane Debauche
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-44547",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-15T16:25:59.608086Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-15T16:26:11.050Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:25:16.862Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107696"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "status": "affected",
                  "version": "15.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "status": "affected",
                  "version": "15.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Stephane Debauche"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0 allows authenticated administrators to executed arbitrary code, leading to privilege escalation."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-267",
                  "description": "Privilege Defined With Unsafe Actions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107696"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-44547",
        "datePublished": "2023-04-25T18:33:42.884Z",
        "dateReserved": "2021-12-27T06:22:26.001Z",
        "dateUpdated": "2024-08-04T04:25:16.862Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26947 (GCVE-0-2021-26947)

    Vulnerability from cvelistv5 – Published: 2023-04-25 18:33 – Updated: 2024-08-03 20:33
    VLAI
    Summary
    Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via a crafted link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Credits
    Nils Hamerlinck Andreas Perhab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-26947",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-15T15:39:58.913170Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-16T13:31:53.667Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:33:41.300Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107694"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5399"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Nils Hamerlinck"
            },
            {
              "lang": "eng",
              "type": "finder",
              "value": "Andreas Perhab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via a crafted link."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107694"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5399"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-26947",
        "datePublished": "2023-04-25T18:33:41.553Z",
        "dateReserved": "2021-12-27T06:22:25.995Z",
        "dateUpdated": "2024-08-03T20:33:41.300Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26263 (GCVE-0-2021-26263)

    Vulnerability from cvelistv5 – Published: 2023-04-25 18:33 – Updated: 2024-08-03 20:19
    VLAI
    Summary
    Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 14.0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 14.0 , ≤ 15.0 (semver)
    Create a notification for this product.
    odoo odoo_community Affected: 14.0 , ≤ 15.0 (custom)
        cpe:2.3:a:odoo:odoo_community:14.0:*:*:*:*:*:*:*
    Create a notification for this product.
    odoo odoo_enterprise Affected: 14.0 , ≤ 15.0 (custom)
        cpe:2.3:a:odoo:odoo_enterprise:14.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Theodoros Malachias iamsushi Ranjit Pahan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:odoo:odoo_community:14.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "odoo_community",
                "vendor": "odoo",
                "versions": [
                  {
                    "lessThanOrEqual": "15.0",
                    "status": "affected",
                    "version": "14.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:odoo:odoo_enterprise:14.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "odoo_enterprise",
                "vendor": "odoo",
                "versions": [
                  {
                    "lessThanOrEqual": "15.0",
                    "status": "affected",
                    "version": "14.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-26263",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-15T14:49:47.368802Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-15T14:56:17.565Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:19:20.148Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107693"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5399"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "14.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "14.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Theodoros Malachias"
            },
            {
              "lang": "eng",
              "type": "finder",
              "value": "iamsushi"
            },
            {
              "lang": "eng",
              "type": "finder",
              "value": "Ranjit Pahan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107693"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5399"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-26263",
        "datePublished": "2023-04-25T18:33:40.613Z",
        "dateReserved": "2021-07-20T14:28:12.183Z",
        "dateUpdated": "2024-08-03T20:19:20.148Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-44465 (GCVE-0-2021-44465)

    Vulnerability from cvelistv5 – Published: 2023-04-25 18:33 – Updated: 2025-02-03 17:16
    VLAI
    Summary
    Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 0 , ≤ 13.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 0 , ≤ 13.0 (semver)
    Create a notification for this product.
    Credits
    Swapnesh Shah
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:25:16.836Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107692"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-44465",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-03T17:15:33.343989Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-863",
                    "description": "CWE-863 Incorrect Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-03T17:16:04.447Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "13.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "13.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Swapnesh Shah"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107692"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-44465",
        "datePublished": "2023-04-25T18:33:39.776Z",
        "dateReserved": "2021-12-28T11:57:09.374Z",
        "dateUpdated": "2025-02-03T17:16:04.447Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-44775 (GCVE-0-2021-44775)

    Vulnerability from cvelistv5 – Published: 2023-04-25 18:33 – Updated: 2024-08-04 04:32
    VLAI
    Summary
    Cross-site scripting (XSS) issue in Website app of Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Credits
    Holger Brunn
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-44775",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-15T13:57:10.321947Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-15T13:57:17.113Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:32:13.292Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107691"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5399"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Holger Brunn"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) issue in Website app of Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107691"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5399"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-44775",
        "datePublished": "2023-04-25T18:33:38.887Z",
        "dateReserved": "2021-12-28T11:57:09.384Z",
        "dateUpdated": "2024-08-04T04:32:13.292Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23178 (GCVE-0-2021-23178)

    Vulnerability from cvelistv5 – Published: 2023-04-25 18:33 – Updated: 2024-08-03 19:05
    VLAI
    Summary
    Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows attackers to validate online payments with a tokenized payment method that belongs to another user, causing the victim's payment method to be charged instead.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    odoo odoo_community Affected: 0 , ≤ 15.0 (custom)
        cpe:2.3:a:odoo:odoo_community:*:*:*:*:*:*:*:*
    Create a notification for this product.
    odoo odoo_enterprise Affected: 0 , ≤ 15.0 (custom)
        cpe:2.3:a:odoo:odoo_enterprise:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Parth Gajjar
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:odoo:odoo_community:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "odoo_community",
                "vendor": "odoo",
                "versions": [
                  {
                    "lessThanOrEqual": "15.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:odoo:odoo_enterprise:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "odoo_enterprise",
                "vendor": "odoo",
                "versions": [
                  {
                    "lessThanOrEqual": "15.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-23178",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-15T13:46:25.204237Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-15T13:48:33.754Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:53.926Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107690"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5399"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Parth Gajjar"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows attackers to validate online payments with a tokenized payment method that belongs to another user, causing the victim\u0027s payment method to be charged instead."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107690"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5399"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-23178",
        "datePublished": "2023-04-25T18:33:37.875Z",
        "dateReserved": "2021-12-27T06:19:18.867Z",
        "dateUpdated": "2024-08-03T19:05:53.926Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23186 (GCVE-0-2021-23186)

    Vulnerability from cvelistv5 – Published: 2023-04-25 18:33 – Updated: 2024-08-03 19:05
    VLAI
    Summary
    A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-267 - Privilege Defined With Unsafe Actions
    Assigner
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    odoo odoo_community Affected: 0 , < 15.0 (semver)
        cpe:2.3:a:odoo:odoo_community:*:*:*:*:*:*:*:*
    Create a notification for this product.
    odoo odoo_enterprise Affected: 0 , < 15.0 (semver)
        cpe:2.3:a:odoo:odoo_enterprise:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Nils Hamerlinck
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:odoo:odoo_community:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "odoo_community",
                "vendor": "odoo",
                "versions": [
                  {
                    "lessThan": "15.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:odoo:odoo_enterprise:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "odoo_enterprise",
                "vendor": "odoo",
                "versions": [
                  {
                    "lessThan": "15.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-23186",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-17T20:54:45.816025Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-17T20:57:01.095Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:53.896Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107688"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5399"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Nils Hamerlinck"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-267",
                  "description": "Privilege Defined With Unsafe Actions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107688"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5399"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-23186",
        "datePublished": "2023-04-25T18:33:36.536Z",
        "dateReserved": "2021-12-27T06:19:18.852Z",
        "dateUpdated": "2024-08-03T19:05:53.896Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23166 (GCVE-0-2021-23166)

    Vulnerability from cvelistv5 – Published: 2023-04-25 18:33 – Updated: 2025-02-03 17:19
    VLAI
    Summary
    A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-267 - Privilege Defined With Unsafe Actions
    • CWE-276 - Incorrect Default Permissions
    Assigner
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Credits
    Nils Hamerlinck
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:55.305Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107687"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5399"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.7,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "CHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-23166",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-03T17:16:56.975334Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-276",
                    "description": "CWE-276 Incorrect Default Permissions",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-03T17:19:21.242Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Nils Hamerlinck"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-267",
                  "description": "Privilege Defined With Unsafe Actions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107687"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5399"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-23166",
        "datePublished": "2023-04-25T18:33:35.417Z",
        "dateReserved": "2021-12-27T06:17:50.974Z",
        "dateUpdated": "2025-02-03T17:19:21.242Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-44461 (GCVE-0-2021-44461)

    Vulnerability from cvelistv5 – Published: 2023-04-25 18:33 – Updated: 2024-08-04 04:25
    VLAI
    Summary
    Cross-site scripting (XSS) issue in Accounting app of Odoo Enterprise 13.0 through 15.0, allows remote attackers who are able to control the contents of accounting journal entries to inject arbitrary web script in the browser of a victim.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Odoo Odoo Enterprise Affected: 13.0 , ≤ 15.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-44461",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-15T14:56:19.460796Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-15T14:56:28.883Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:25:16.399Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107686"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "15.0",
                  "status": "affected",
                  "version": "13.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) issue in Accounting app of Odoo Enterprise 13.0 through 15.0, allows remote attackers who are able to control the contents of accounting journal entries to inject arbitrary web script in the browser of a victim."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107686"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-44461",
        "datePublished": "2023-04-25T18:33:34.490Z",
        "dateReserved": "2021-12-27T06:17:50.969Z",
        "dateUpdated": "2024-08-04T04:25:16.399Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-44460 (GCVE-0-2021-44460)

    Vulnerability from cvelistv5 – Published: 2023-04-25 18:33 – Updated: 2024-08-04 04:25
    VLAI
    Summary
    Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows users with deactivated accounts to access the system with the deactivated account and any permission it still holds, via crafted RPC requests.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    Odoo Odoo Community Affected: 0 , ≤ 13.0 (semver)
    Create a notification for this product.
    Odoo Odoo Enterprise Affected: 0 , ≤ 13.0 (semver)
    Create a notification for this product.
    Credits
    Xavier Morel
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-44460",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-15T13:23:44.267561Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-15T20:32:56.009Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:25:16.420Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/odoo/odoo/issues/107685"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Community",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "13.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Odoo Enterprise",
              "vendor": "Odoo",
              "versions": [
                {
                  "lessThanOrEqual": "13.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "eng",
              "type": "finder",
              "value": "Xavier Morel"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows users with deactivated accounts to access the system with the deactivated account and any permission it still holds, via crafted RPC requests."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
            "shortName": "odoo"
          },
          "references": [
            {
              "url": "https://github.com/odoo/odoo/issues/107685"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
        "assignerShortName": "odoo",
        "cveId": "CVE-2021-44460",
        "datePublished": "2023-04-25T18:33:33.360Z",
        "dateReserved": "2021-12-27T06:17:50.956Z",
        "dateUpdated": "2024-08-04T04:25:16.420Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }