CVE-2021-44461: 
NixOS vulnerability analysis and mitigation

Cross-site scripting (XSS) vulnerability identified as CVE-2021-44461 affects the Accounting app of Odoo Enterprise versions 13.0 through 15.0. The vulnerability was disclosed on December 10, 2022, and impacts the account_accountant component. This security flaw allows remote attackers who can control the contents of accounting journal entries to inject arbitrary web script in the browser of a victim (GitHub Issue).

The vulnerability stems from improper sanitization of invoice content in the Odoo accounting application, particularly when handling automatically imported email invoices. The issue has a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. An alternative scoring by Odoo rates it at 6.5 (Medium) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N (NVD).

When exploited, this vulnerability allows malicious users to send crafted invoices that can trigger injected web script code when an accountant opens the invoice. The attack requires no authentication and is network exploitable, potentially compromising the security of accounting data and user sessions (GitHub Issue).

No temporary workaround was available for this vulnerability. The recommended solution was to update to the latest revision or apply specific patches. Fixes were implemented through commits eb6799b56c (13.0-ent), 48f48647e3d (14.0-ent), and fce7a1a52e7e (15.0-ent) in the enterprise repository. Odoo Cloud servers were patched immediately upon correction availability (GitHub Issue).