CVE-2021-23178

2023-04-2518:33:37

odoo

www.cve.org

improper access control

odoo community

odoo enterprise

online payments

tokenized payment method

unauthorized charges

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.2%

JSON

Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows attackers to validate online payments with a tokenized payment method that belongs to another user, causing the victim’s payment method to be charged instead.

CNA Affected

[
  {
    "vendor": "Odoo",
    "product": "Odoo Community",
    "defaultStatus": "unaffected",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "15.0",
        "versionType": "semver"
      }
    ]
  },
  {
    "vendor": "Odoo",
    "product": "Odoo Enterprise",
    "defaultStatus": "unaffected",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "15.0",
        "versionType": "semver"
      }
    ]
  }
]