Debian Security Advisory

DSA-5399-1 odoo -- security update

Date Reported:
05 May 2023
Affected Packages:
odoo
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2021-23166, CVE-2021-23176, CVE-2021-23178, CVE-2021-23186, CVE-2021-23203, CVE-2021-26263, CVE-2021-26947, CVE-2021-44476, CVE-2021-44775, CVE-2021-45071, CVE-2021-45111.
More information:

Several vulnerabilities were discovered in odoo, a suite of web based open source business apps.

  • CVE-2021-44775, CVE-2021-26947, CVE-2021-45071, CVE-2021-26263

    XSS allowing remote attacker to inject arbitrary commands.

  • CVE-2021-45111

    Incorrect access control allowing authenticated remote user to create user accounts and access restricted data.

  • CVE-2021-44476, CVE-2021-23166

    Incorrect access control allowing authenticated remote administrator to access local files on the server.

  • CVE-2021-23186

    Incorrect access control allowing authenticated remote administrator to modify database contents of other tenants.

  • CVE-2021-23178

    Incorrect access control allowing authenticated remote user to use another user's payment method.

  • CVE-2021-23176

    Incorrect access control allowing authenticated remote user to access accounting information.

  • CVE-2021-23203

    Incorrect access control allowing authenticated remote user to access arbitrary documents via PDF exports.

For the stable distribution (bullseye), these problems have been fixed in version 14.0.0+dfsg.2-7+deb11u1.

We recommend that you upgrade your odoo packages.

For the detailed security status of odoo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/odoo