Debian Security Advisory
DSA-5399-1 odoo -- security update
- Date Reported:
- 05 May 2023
- Affected Packages:
- odoo
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2021-23166, CVE-2021-23176, CVE-2021-23178, CVE-2021-23186, CVE-2021-23203, CVE-2021-26263, CVE-2021-26947, CVE-2021-44476, CVE-2021-44775, CVE-2021-45071, CVE-2021-45111.
- More information:
-
Several vulnerabilities were discovered in odoo, a suite of web based open source business apps.
- CVE-2021-44775,
CVE-2021-26947,
CVE-2021-45071,
CVE-2021-26263
XSS allowing remote attacker to inject arbitrary commands.
- CVE-2021-45111
Incorrect access control allowing authenticated remote user to create user accounts and access restricted data.
- CVE-2021-44476,
CVE-2021-23166
Incorrect access control allowing authenticated remote administrator to access local files on the server.
- CVE-2021-23186
Incorrect access control allowing authenticated remote administrator to modify database contents of other tenants.
- CVE-2021-23178
Incorrect access control allowing authenticated remote user to use another user's payment method.
- CVE-2021-23176
Incorrect access control allowing authenticated remote user to access accounting information.
- CVE-2021-23203
Incorrect access control allowing authenticated remote user to access arbitrary documents via PDF exports.
For the stable distribution (bullseye), these problems have been fixed in version 14.0.0+dfsg.2-7+deb11u1.
We recommend that you upgrade your odoo packages.
For the detailed security status of odoo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/odoo
- CVE-2021-44775,
CVE-2021-26947,
CVE-2021-45071,
CVE-2021-26263