690 matches found
Odoo Apps - Cross-Site Scripting via Prototype Pollution
jquery-bbq 1.2.1 contains a prototype pollution caused by improperly controlled modification of object prototype attributes, letting malicious users inject properties into Object.prototype, exploit requires malicious user interaction. id: CVE-2021-20086 info: name: Odoo Apps - Cross-Site Scriptin...
Odoo 8.0/9.0/10.0 - Local File Inclusion
Odoo 8.0, 9.0, and 10.0 are susceptible to local file inclusion via tools.fileopen. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. id: CVE-2017-9416 info: name: Odoo 8.0/9.0/10.0 -...
Odoo <= 15.0 - Cross-Site Scripting
A cross-site scripting XSS vulnerability in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote attackers to inject arbitrary web scripts into the browser of a victim via a crafted link. This issue could lead to the execution of malicious scripts in the context of t...
Odoo <= 8.0-20160726 & 9.0 - Open Redirect
An Open Redirect vulnerability in Odoo versions = 8.0-20160726 and 9.0. This issue allows an attacker to redirect users to untrusted sites via a crafted URL. id: CVE-2017-5871 info: name: Odoo = 8.0-20160726 & 9.0 - Open Redirect author: 1337rokudenashi severity: medium description: | An Open...
Malicious code in odoo-addon-spp-base (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis da9c7bdf0b4ac969bfa720be2b3f87caa4c82a6d3ac7eeda5e74946aa3c1a1de The OpenSSF Package Analysis project identified 'odoo-addon-spp-base' @ 99.0.0 pypi as malicious. It is considered malicious because: - The...
MAL-2026-5367 Malicious code in odoo-addon-spp-base (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis da9c7bdf0b4ac969bfa720be2b3f87caa4c82a6d3ac7eeda5e74946aa3c1a1de The OpenSSF Package Analysis project identified 'odoo-addon-spp-base' @ 99.0.0 pypi as malicious. It is considered malicious because: - The...
CVE-2026-8425
The Notify Odoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the updateSettings function. This makes it possible for unauthenticated attackers to change the Notify Odoo URL to ...
CVE-2026-8425
The Notify Odoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the updateSettings function. This makes it possible for unauthenticated attackers to change the Notify Odoo URL to ...
CVE-2026-8425
The Notify Odoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the updateSettings function. This makes it possible for unauthenticated attackers to change the Notify Odoo URL to ...
EUVD-2026-30520
The Notify Odoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the updateSettings function. This makes it possible for unauthenticated attackers to change the Notify Odoo URL to ...
CVE-2026-8425 Notify Odoo <= 1.0.1 - Cross-Site Request Forgery to Settings Update
The Notify Odoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the updateSettings function. This makes it possible for unauthenticated attackers to change the Notify Odoo URL to ...
CVE-2026-8425
CVE-2026-8425 describes a Cross-Site Request Forgery in the WordPress Notify Odoo plugin (versions ≤ 1.0.1). The root cause is missing or incorrect nonce validation on the _updateSettings function, enabling unauthenticated attackers to alter the Notify Odoo URL and related settings (notification,...
CVE-2026-8425 Notify Odoo <= 1.0.1 - Cross-Site Request Forgery to Settings Update
The Notify Odoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the updateSettings function. This makes it possible for unauthenticated attackers to change the Notify Odoo URL to ...
PT-2026-41280
The Notify Odoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the updateSettings function. This makes it possible for unauthenticated attackers to change the Notify Odoo URL to ...
WordPress plugin Notify Odoo 跨站请求伪造漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
WordPress Notify Odoo plugin <= 1.0.1 - Cross-Site Request Forgery to Settings Update vulnerability
Cross-Site Request Forgery to Settings Update vulnerability discovered by Legion Hunter in WordPress Plugin Notify Odoo versions = 1.0.1...
Odoo - Cross-Site Scripting
Odoo is a business suite that has features for many business-critical areas, such as e-commerce, billing, or CRM. Versions before the 16.0 release are vulnerable to CVE-2023-1434 and is caused by an incorrect content type being set on an API endpoint. id: CVE-2023-1434 info: name: Odoo - Cross-Si...
CVE-2026-25137
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store...
CVE-2026-25137
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store...
CVE-2026-25137 NixOs Odoo database and filestore publicly accessible with default odoo configuration
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store...