Bug with invoices and credit notes

for Odoo 9

Odoo image and text block
When taxes are shown in invoices and credit notes, the amount is not converted into the correct currency format for the recipient's language. So z. For example, in an English invoice, use a comma instead of a period as a separator.
You can now check this error in every report creation and fix it manually, or you can let us fix the bug in a short time.


Kontaktieren Sie uns, falls Sie dieses Problem behoben haben möchten. 

Remote code execution via Anonymization module

for Odoo 8, Odoo 9 and Odoo 10

I.   Background
Odoo includes an optional "Database Anonymization" module that can be used by administrators to perform a one-shot reversible anonymization of their database contents. This is typically used to remove all identifiable names and details from the address book and all documents in an Odoo database, prior to sending it to Odoo's upgrade systems.
The operation can be reversed later once the database upgrade is completed.

II.  Problem Description
The serialization system used to store the local data to reverse the anonymization procedure relies on the "pickle" object serialization algorithm.
The pickle module of Python is not secure against erroneous or maliciously constructed data, and in its default configuration, could be exploited to execute arbitrary Python code.

Incorrect access control on OAuth tokens

for Odoo 8, Odoo 9 and Odoo 10

I.   Background
Odoo comes with several authentication methods, some of them using locally stored passwords, and others relying on external authentication.
One of the external authentication methods is OAuth, provided by the OAuth module. This authentication method is not enabled by default,and requires an external OAuth2 Authentication Provider, such as Facebook, Google or Odoo.com's OAuth.
With OAuth, the user is redirected to the external provider duringthe authentication process, and the user password is never transmittedvia Odoo. Instead, the user obtains a temporary oauth token from theprovider, which is then verified by Odoo, and used as a temporarypassword.

II.  Problem Description
The OAuth token were not correctly protected once stored in the Odoo database. 

Cross-Site Scripting (XSS) using insecure redirect handler

for Odoo 8, Odoo 9 and Odoo 10

I.   Background
Odoo includes a generic mechanism for redirecting the end-user to a given target URL after performing an operation.
This is typically used to continue the navigation to the original destination after letting the user sign in, or after performing some housekeeping on the user's session.
In order to allow advanced authentication flows such as OAuth, this mechanism supports and allows arbitrary destination URLs to be requested.

II.  Problem Description
The redirection handler did not verify the URL scheme used in there quested redirection URL.

Access control bypass via Psycopg2 vulnerability

for Odoo 8, Odoo 9 and Odoo 10

 I.   Background

Odoo uses the psycopg2 Python library as database adapter, in order to connect to the PostgreSQL backend, the database management system.


II.  Problem Description

Psycopg2 versions before 2.6.3 did not properly handle database query parameters that contain NUL (0x00) bytes, passing them unmodified to the underlying libpq database driver.


Kontaktieren Sie uns, falls Sie dieses Problem behoben haben möchten.