Bug bei Rechnungen und Gutschriften

für Odoo 9

Odoo image and text block
Bei der Ausweisung der Steuern in Rechnungen und Gutschriften wird der Betrag nicht in das korrekte Währungsformat der jeweiligen Sprache des Empfängers umgewandelt. So wird z. B. in einer englischen Rechnung ein Komma anstatt eines Punktes als Trennzeichen verwendet.
Diesen Fehler können Sie nun in jeder Berichtserstellung prüfen und manuell ausbessern, oder Sie lassen den Bug in kurzer Zeit von uns fixen. 


Kontaktieren Sie uns, falls Sie dieses Problem behoben haben möchten. 

Remote code execution via Anonymization module

for Odoo 8, Odoo 9 and Odoo 10

I.   Background
Odoo includes an optional "Database Anonymization" module that can be used by administrators to perform a one-shot reversible anonymization of their database contents. This is typically used to remove all identifiable names and details from the address book and all documents in an Odoo database, prior to sending it to Odoo's upgrade systems.
The operation can be reversed later once the database upgrade is completed.

II.  Problem Description
The serialization system used to store the local data to reverse the anonymization procedure relies on the "pickle" object serialization algorithm.
The pickle module of Python is not secure against erroneous or maliciously constructed data, and in its default configuration, could be exploited to execute arbitrary Python code.

Incorrect access control on OAuth tokens

for Odoo 8, Odoo 9 and Odoo 10

I.   Background
Odoo comes with several authentication methods, some of them using locally stored passwords, and others relying on external authentication.
One of the external authentication methods is OAuth, provided by the OAuth module. This authentication method is not enabled by default,and requires an external OAuth2 Authentication Provider, such as Facebook, Google or Odoo.com's OAuth.
With OAuth, the user is redirected to the external provider duringthe authentication process, and the user password is never transmittedvia Odoo. Instead, the user obtains a temporary oauth token from theprovider, which is then verified by Odoo, and used as a temporarypassword.

II.  Problem Description
The OAuth token were not correctly protected once stored in the Odoo database. 

Cross-Site Scripting (XSS) using insecure redirect handler

for Odoo 8, Odoo 9 and Odoo 10

I.   Background
Odoo includes a generic mechanism for redirecting the end-user to a given target URL after performing an operation.
This is typically used to continue the navigation to the original destination after letting the user sign in, or after performing some housekeeping on the user's session.
In order to allow advanced authentication flows such as OAuth, this mechanism supports and allows arbitrary destination URLs to be requested.

II.  Problem Description
The redirection handler did not verify the URL scheme used in there quested redirection URL.

Access control bypass via Psycopg2 vulnerability

for Odoo 8, Odoo 9 and Odoo 10

 I.   Background

Odoo uses the psycopg2 Python library as database adapter, in order to connect to the PostgreSQL backend, the database management system.


II.  Problem Description

Psycopg2 versions before 2.6.3 did not properly handle database query parameters that contain NUL (0x00) bytes, passing them unmodified to the underlying libpq database driver.


Kontaktieren Sie uns, falls Sie dieses Problem behoben haben möchten.