Abstract Advisory Information
Security issue affecting the product Odoo.
In case the module Discussion is installed, a weakness in the module allows an authenticated attacker to send document for which he has no access to the outside.
In the public channel available in the discussion module is it possible to turn on a feature allowing to send content of published messages to all channel participants ( except the sender ) by e-mail. If a message is posted with an attachment this
attachment is also send by e-mail. The module in charge of e-mail sending does not perform the authorization checks to
ensure the e-mail receipients have at least read access to the attachment.
This lack of authoriziation can be easily exploited because an incremental numeric identifier is affected to a document when it is uploaded. It’s easy to enumerate all potential existing identifiers.
Authors: Benoît Chenal
Version affected
Name: Odoo
Versions: 11.0.20180808 ( COMMUNITY EDITION) and 10.0+e( Enterprise Edition)
Profile: COMMUNITY + ENTERPRISE
Common Vulnerability Scoring System
6.5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Patches
Coming soon
Vulnerability Disclosure Timeline
- 22/08/2018: Vulnerability discovered
- 23/08/2018: Odoo notification of issues
- 30/08/2018: Odoo acknowledgment
- 16/10/2018: Private disclosure
- 06/11/2018: Planned public disclosure
- 07/11/2018: Odoo postpone the public disclosure after issue caused by the patch
- 27/11/2018: Planned public disclosure
- 28/11/2018: Public disclosure by Excellium-services in accordance with Odoo