Dear Odoo Enterprise Subscriber, Dear Odoo Partner, Please find below an important Security Advisory that should be transferred to your Odoo technical administrator as soon as possible. The detailed descriptions are provided as links under the respective CVE references below and on https://www.odoo.com/security-advisories/ This advisory includes several issues with HIGH severity, so it is strongly recommended to update your Odoo deployments as soon as possible, by following the documentation: https://www.odoo.com/r/update-howto Updated installers are available on https://www.odoo.com/page/download All official Odoo Cloud services (Odoo Online and Odoo.sh) already have the security patches deployed. However if you have an Odoo.sh "pinned revision", you should consider updating to the latest official revision as soon as possible. Please contact the Odoo Helpdesk via https://www.odoo.com/help if you have further questions. -- Odoo Security Team PS: You are receiving this message as part of our Security Updates services, included with Odoo Enterprise subscriptions. This message is digitally signed by the Odoo Security Team, with GPG key 4096R/8E877D2F. You can verify it on our website at https://www.odoo.com/security-report If you'd like to designate another Security Contact for your subscription, please ask your Odoo Account Manager or reach out to our helpdesk. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Note: CVE IDs do not reflect the year of discovery, but are related to availability in the pool of IDs reserved for Odoo as a CVE Numbering Authority. # CVE-2021-23176 Affects: Odoo 15.0 and earlier (Community and Enterprise Editions) Severity :: Medium :: 6.5 :: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Improper access control in reporting engine of l10n_fr_fec module in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to extract accounting information via crafted RPC packets. Advisory: https://www.odoo.com/security-advisories/CVE-2021-23176.txt # CVE-2021-45111 Affects: Odoo 15.0 and earlier (Community and Enterprise Editions) Severity :: High :: 7.1 :: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials. Advisory: https://www.odoo.com/security-advisories/CVE-2021-45111.txt # CVE-2021-44476 Affects: Odoo 15.0 and earlier (Community and Enterprise Editions) Severity :: Medium :: 6.8 :: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read local files on the server, including sensitive configuration files. Advisory: https://www.odoo.com/security-advisories/CVE-2021-44476.txt # CVE-2021-44460 Affects: Odoo 13.0 and earlier (Community and Enterprise Editions) Severity :: High :: 7.4 :: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows users with deactivated accounts to access the system with the deactivated account and any permission it still holds, via crafted RPC requests. Advisory: https://www.odoo.com/security-advisories/CVE-2021-44460.txt # CVE-2021-44461 Affects: Odoo Enterprise 13.0 through 15.0 Severity :: Medium :: 6.5 :: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Cross-site scripting (XSS) issue in Accounting app of Odoo Enterprise 13.0 through 15.0, allows remote attackers who are able to control the contents of accounting journal entries to inject arbitrary web script in the browser of a victim. Advisory: https://www.odoo.com/security-advisories/CVE-2021-44461.txt # CVE-2021-23166 Affects: Odoo 15.0 and earlier (Community and Enterprise Editions) Severity :: High :: 8.7 :: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server. Advisory: https://www.odoo.com/security-advisories/CVE-2021-23166.txt # CVE-2021-23186 Affects: Odoo 15.0 and earlier (Community and Enterprise Editions) Severity :: High :: 8.7 :: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system. Advisory: https://www.odoo.com/security-advisories/CVE-2021-23186.txt # CVE-2021-44475 Affects: Odoo 15.0 and earlier (Community and Enterprise Editions) Severity :: Medium :: 6.8 :: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Improper input sanitization in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read local files on the server, including sensitive configuration files. Advisory: https://www.odoo.com/security-advisories/CVE-2021-44475.txt # CVE-2021-23178 Affects: Odoo 15.0 and earlier (Community and Enterprise Editions) Severity :: High :: 7.5 :: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows attackers to validate online payments with a tokenized payment method that belongs to another user, causing the victim's payment method to be charged instead. Advisory: https://www.odoo.com/security-advisories/CVE-2021-23178.txt # CVE-2021-44775 Affects: Odoo 15.0 and earlier (Community and Enterprise Editions) Severity :: Medium :: 6.5 :: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Cross-site scripting (XSS) issue in Website app of Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents. Advisory: https://www.odoo.com/security-advisories/CVE-2021-44775.txt # CVE-2021-44465 Affects: Odoo 13.0 and earlier (Community and Enterprise Editions) Severity :: Medium :: 5.3 :: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests. Advisory: https://www.odoo.com/security-advisories/CVE-2021-44465.txt # CVE-2021-26263 Affects: Odoo 14.0 through 15.0 (Community and Enterprise Editions) Severity :: High :: 7.5 :: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents. Advisory: https://www.odoo.com/security-advisories/CVE-2021-26263.txt # CVE-2021-26947 Affects: Odoo 15.0 and earlier (Community and Enterprise Editions) Severity :: Medium :: 6.5 :: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via a crafted link. Advisory: https://www.odoo.com/security-advisories/CVE-2021-26947.txt # CVE-2021-23203 Affects: Odoo 14.0 through 15.0 (Community and Enterprise Editions) Severity :: High :: 7.5 :: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests. Advisory: https://www.odoo.com/security-advisories/CVE-2021-23203.txt # CVE-2021-44547 Affects: Odoo 15.0 (Community and Enterprise Editions) Severity :: High :: 8.7 :: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0 allows authenticated administrators to executed arbitrary code, leading to privilege escalation Advisory: https://www.odoo.com/security-advisories/CVE-2021-44547.txt # CVE-2021-45071 Affects: Odoo 15.0 and earlier (Community and Enterprise Editions) Severity :: Medium :: 5.3 :: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via crafted uploaded file names. Advisory: https://www.odoo.com/security-advisories/CVE-2021-45071.txt