CVE-2021-26263

Description

Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents.

How to fix CVE-2021-26263

To remediate CVE-2021-26263, upgrade the affected package to a fixed version below.

Bitnami/odoo—upgrade to 14.0.1 or later
—upgrade to 14.0.0+dfsg.2-7+deb11u1 or later

Is CVE-2021-26263 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 14.0.0, < 14.0.1, >= 15.0.0, < 15.0.1
from 0, < 14.0.0+dfsg.2-7+deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-26263
WEBgithub.com/odoo/odoo/issues/107693
WEBnvd.nist.gov/vuln/detail/CVE-2021-26263
WEBwww.debian.org/security/2023/dsa-5399