Odoo XSS (CVE-2023-1434)
Description
Odoo versions prior to the patched release contain a cross-site scripting (XSS) vulnerability caused by an API endpoint serving user-controlled content with an incorrect Content-Type header. This misconfiguration allows attackers to inject and execute arbitrary JavaScript code in the context of the vulnerable application when victims access specially crafted URLs.
Remediation
Apply the security patches by upgrading to Odoo version 16.0 or later, or apply the vendor-provided patches for your specific Odoo version branch. If immediate patching is not possible, implement the following temporary mitigations: (1) Configure your web application firewall or reverse proxy to enforce proper Content-Type headers on API responses, ensuring they match the actual content being served. (2) Review and update API endpoint configurations to explicitly set Content-Type headers, for example:
response.headers['Content-Type'] = 'application/json' # Instead of allowing default or user-influenced content types
(3) Implement Content Security Policy (CSP) headers to restrict script execution as an additional defense layer. (4) Monitor access logs for suspicious patterns in API endpoint requests. Verify the fix after patching by testing that API endpoints return appropriate Content-Type headers that prevent script execution.