CVE-2021-23178

2023-04-2518:33:37

CWE-284

odoo

github.com

odoo

access control

tokenized payment

unauthorized payments

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

6.7

Confidence

Low

SSVC

Exploitation

none

Automatable

yes

Technical Impact

partial

JSON

Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows attackers to validate online payments with a tokenized payment method that belongs to another user, causing the victim’s payment method to be charged instead.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:odoo:odoo_community:*:*:*:*:*:*:*:*"
    ],
    "vendor": "odoo",
    "product": "odoo_community",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "15.0"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "cpes": [
      "cpe:2.3:a:odoo:odoo_enterprise:*:*:*:*:*:*:*:*"
    ],
    "vendor": "odoo",
    "product": "odoo_enterprise",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "15.0"
      }
    ],
    "defaultStatus": "unknown"
  }
]