ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
CVE IDDescription
CVSS v3.1
SeverityVersionCommit
Commit ID [FIX]
Commit Hash [FIX]
Commit ID [Vulnerable]
Commit Hash [Vulnerable]
Links
2
CVE-2017-10804In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, remote attackers can bypass authentication under certain circumstances because parameters containing 0x00 characters are truncated before reaching the database layer. This occurs because Psycopg 2.x before 2.6.3 is used.9.8Critical8.0"[FIX] sql_db: port fix from psycopg/psycopg2#459 NUL characters must not be used in query parameters, as they will be ignored by libpq, being end-of-string characters. Preventing NULs avoids unexpected results from queries. It is only necessary with psycopg2 versions before 2.7, which includes the upstream fix."eb8d919
eb8d9190154a72d557674fcffb2a397bce5daed9
46263eb
46263eb398443f2e19c737c4488f43990f244085
"http://initd.org/psycopg/docs/news.html#what-s-new-in-psycopg-2-6-3 https://github.com/psycopg/psycopg2/issues/420"
3
9.0e3a52a9
e3a52a9966d4d99cebf7dc95437ecadf87897f69
2bf6005
2bf6005e6a2ecf9c44d17f8b886e02c2670d84bf
4
10.04acfe35
4acfe3577b910e090bc67ad80982208cd660f8e5
acf7c14
acf7c1460afd169d0ab12155c68e0edd6abde027
5
CVE-2021-23203Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests.7.5High14.0"[FIX] base: correct evaluation context for report rendering Fix of 57665a0 which was problematic in point_of_sale"f2c1ee5f2c1ee5a622db33a4411e7f9285f09387d1d7480ff1db4aff1db4a6aea522cf3dfc80ca88e64ffecfb5e07c
https://www.debian.org/security/2023/dsa-5399
6
15.0
7
CVE-2023-48050
SQL injection vulnerability in Cams Biometrics Zkteco, eSSL, Cams Biometrics Integration Module with HR Attendance (aka odoo-biometric-attendance) v. 13.0 through 16.0.1 allows a remote attacker to execute arbitrary code and to gain privileges via the db parameter in the controllers/controllers.py component.
9.8Critical
13.0 through 16.0.1
N/AN/AN/AN/AN/AN/A
8
CVE-2021-45111Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials.8.1High13.0"[FIX] ir_demo.py: Force admin access to load demo data Only admin users should be able to load demo data, if needed. This is only possible from the settings dashboard, and thus, the method could be decorated. See: c002e2e"2df06fe
2df06fef46d358db9c74c00da5684110073c494c
83c927f
83c927f347e93c54610f7855f5399c200eed13ce
https://www.debian.org/security/2023/dsa-5399
9
14.0d326153
d326153e016f93c22f40ad8fb146bb4108bb94dc
49050c1
49050c124795852ce7ad51b92958498972730dcf
10
15.0d326153
d326153e016f93c22f40ad8fb146bb4108bb94dc
49050c1
49050c124795852ce7ad51b92958498972730dcf
11
CVE-2019-11780
Improper access control in the computed fields system of the framework of Odoo Community 13.0 and Odoo Enterprise 13.0 allows remote authenticated attackers to access sensitive information via crafted RPC requests, which could lead to privilege escalation.
8.1High13.0
"[FIX] fields: compute_sudo defaults to True for stored fields only The default `compute_sudo=True` makes sense for recomputing stored fields that are indirectly related to a business operation. This ensures that the recomputation of the field does not break an operation that is not aware of the fields to recompute. However, computing non-stored fields in superuser mode is usually not necessary. It even leads to unexpected values: counting a partner's sales orders does not give the same result in superuser mode as in normal mode. That is why non-stored fields are not computed in superuser mode by default. [FIX] account, delivery, event, hr_recruitment, point_of_sale, stock: adapt the model definition to make all fields with the same compute method have the same value for `compute_sudo`. [FIX] sale: split the computation of `invoice_ids`, `invoice_count` (non-stored) and `invoice_status` (stored), as no code is actually shared. closes #38805 Signed-off-by: Olivier Dony (odo) <odo@openerp.com>"
843fd38
843fd38a97f02b49dc09d7f55919072d272fd80e
9492b01
9492b0196de5eed25818fb5ef06bcfd3103ff987
N/A
12
CVE-2018-15632
Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they can connect with default credentials.
9.1Critical11.0
[FIX] loading: require install mode to trigger db init
a1dc2af
a1dc2af007e3d4caa89792239e2ef5c934f321b7
3f06c22
3f06c220bf0d8f4fa0ee8f5135a358ae26b26aab
N/A
13
CVE-2018-14885Incorrect access control in the database manager component in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows a remote attacker to restore a database dump without knowing the super-admin password. An arbitrary password succeeds.9.8Critical10.0"[FIX] web: clean data_file after restore The file used for the restoration was not properly removed"b020308
b0203084133bee0dadc004debf3b0fb2835d0ffd
4e4dd4d
4e4dd4dfa2b898c064df93199f882c3829574d44
https://github.com/odoo/odoo/commits/master
14
11.05decf4a
5decf4ab3da7484f8418d648688fbe4250ea7fdd
6d83f70
6d83f700144b29150050900430e8166d3d3345f7
15
CVE-2024-36259
Improper access control in mail module of Odoo Community 17.0 and Odoo Enterprise 17.0 allows remote authenticated attackers to extract sensitive information via an oracle-based (yes/no response) crafted attack.
7.5High17.0
2007e69ef7798b2e32daa0ed64ec76f2e5c0d4e1
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100