CVE-2021-45071: 
NixOS vulnerability analysis and mitigation

Cross-site scripting (XSS) vulnerability identified in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, tracked as CVE-2021-45071. The vulnerability was discovered by multiple security researchers including Lauri Vakkala, Anıl Yüksel, Agustin Maio, and Johannes Moritz from Cure53. The issue allows remote attackers to inject arbitrary web script in the browser of a victim through crafted uploaded file names (Odoo Advisory).

The vulnerability exists in the generic component for uploading files, known as the 'binary field widget'. The root cause is improper sanitization of uploaded file names in this component. The vulnerability has been assigned a CVSS v3.0 base score of 5.3 (Medium) with the vector string CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N, indicating network exploitability with no authentication required but requiring user interaction (Odoo Advisory).

If an attacker can control the contents of the binary field widget, either directly or indirectly (e.g., via email), they can execute arbitrary web scripts (XSS) in the victim's browser. This could lead to privilege escalation by triggering malicious actions through a privileged victim or enable the capture of sensitive data. The vulnerability affects systems where certain modules/apps using the default binary field widget are installed (Odoo Advisory).

No workaround was available for this vulnerability. The recommended solution was to update to the latest revision or apply the corresponding patch. Patches were provided for versions 13.0 (b9ae627), 14.0 (609b650), and 15.0 (9f8da7b). Odoo Cloud servers were patched immediately upon correction availability (Odoo Advisory, Debian Advisory).