CVE-2021-26263: 
NixOS vulnerability analysis and mitigation

Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents. The vulnerability was assigned CVE-2021-26263 and affects both Community and Enterprise editions of Odoo versions 14.0 and 15.0 (Odoo Issue).

The vulnerability exists in the live chat feature of Odoo's Discuss app, which allows real-time discussions with employees or website visitors. The issue stems from improper input validation that allows injection of arbitrary code that gets executed in the victim's browser when a message is received. The vulnerability has been assigned a CVSS3 Score of 7.5 (High) with a vector string of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (Odoo Issue).

The vulnerability allows attackers to craft requests to send arbitrary code to a victim and execute web script without requiring active interaction from the victim, other than being connected. This can potentially lead to privilege escalation and sensitive information disclosure. The attack vector is network exploitable and requires no authentication (Odoo Issue).

The vulnerability has been fixed in the following patches: version 14.0 (patch ff1db4a) and version 15.0 (patch 41e7d26). No workaround is available, and updating to the latest revision or applying the corresponding patch is strongly recommended. Odoo Cloud servers were patched as soon as the correction was available. For Debian systems, the fix has been included in version 14.0.0+dfsg.2-7+deb11u1 for the stable distribution (bullseye) (Debian Advisory, Odoo Issue).