Odoo, Stored Cross-Site Scripting, CVE-2024-32854 (Critical)

Listen to this Post

The vulnerability is a classic stored XSS where user-supplied input is not properly sanitized before being rendered. Specifically, malicious JavaScript code entered into the “Observations” field of a Delivery Note is saved to the database. When an administrator later navigates to the “History” view for that record, the application retrieves and directly injects the unsanitized historical data into the HTML document without applying proper HTML entity encoding (e.g., converting `<` to &lt;). This allows the attacker’s script, such as one using an `onerror` event handler within an `` tag, to be interpreted and executed by the victim’s browser in the security context of the administering session. The script can then perform authenticated actions, like calling internal API endpoints to change the administrator’s password, as it bypasses CSRF protections by executing within a legitimate session.
Platform: Enterprise ERP
Version: Multiple versions
Vulnerability: Stored XSS
Severity: Critical
date: Discovered 2024

Prediction: Q4 2024 patch

What Undercode Say:

grep -r "observations" ./addons/
curl -X POST -d "observations=<img src=x onerror=alert(document.domain)>" http://host/save_note
// Payload to change admin password via internal API
fetch('/web/dataset/call_kw/res.users/change_password', {
method: 'POST',
body: JSON.stringify({"params":{"fields":{"id":1,"new_password":"hacked"}}})
});

How Exploit:

  1. Attacker with user privileges injects script into Observations field.

2. Script saves to database history log.

3. Admin views History tab.

4. Malicious script executes in admin context.

5. Script calls internal user password change API.

6. Attacker gains admin credentials.

Protection from this CVE:

Implement strict output encoding.

Sanitize all user-controlled history fields.

Add current password verification.

Enforce Content Security Policy.

Impact:

Full administrator account takeover.

Sensitive data exposure.

Financial data manipulation.

Bypasses CSRF protections.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top