CVE-2021-23176

2023-04-2518:32:31

CWE-284

odoo

github.com

improper access control

reporting engine

odoo community

odoo enterprise

remote authenticated users

accounting information

crafted rpc packets

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.1

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Improper access control in reporting engine of l10n_fr_fec module in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to extract accounting information via crafted RPC packets.

CNA Affected

[
  {
    "vendor": "Odoo",
    "product": "Odoo Community",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "semver",
        "lessThanOrEqual": "15.0"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Odoo",
    "product": "Odoo Enterprise",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "semver",
        "lessThanOrEqual": "15.0"
      }
    ],
    "defaultStatus": "unaffected"
  }
]