Cross-Site Scripting Vulnerability in Odoo Products by Odoo S.A.
CVE-2018-15641

6.3MEDIUM

Key Information:

Vendor: Odoo
Status: Odoo Community; Odoo Enterprise
Vendor: CVE Published:; 22 December 2020

What is CVE-2018-15641?

A Cross-Site Scripting (XSS) vulnerability exists in the web module of Odoo affecting both Community and Enterprise versions from 11.0 to 14.0. This flaw allows remote authenticated internal users to manipulate calendar event attributes to inject arbitrary web scripts into the victims' browsers, potentially leading to unauthorized actions within the Odoo environment.

Affected Version(s)

Odoo Community 11.0

Odoo Community <= 14.0

Odoo Enterprise 11.0

References

https://github.com/odoo/odoo/issues/63704

x_refsource_MISC

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 22, 2020
Vulnerability Reserved
Aug 21, 2018

Credit

msg systems ag

Lauri Vakkala (Silverskin)

Bharath Kumar (Appsecco)

Anıl Yüksel

Aitor Fuentes (kr0no)