Serpent Consulting Services Pvt. Ltd. - Odoo Technology Partner



We handle Odoo security on thier behalf and we work hand in hands! Following is the analysis where the references are taken from Odoo.com and some from wikipedia. Following are the highlights.

Download complete Reference from here.


Odoo is an all-in-one management software that offers a range of business applications that form a complete suite of enterprise management applications targeting companies of all sizes. - including CRM,website/e-commerce, billing, accounting, manufacturing, warehouse - and project management, and inventory.

  • The prime benefit of Odoo is its extensible architecture. A large number of freelancers and organizations develop Odoo Apps or Modules and place them in the marketplace for sale or to be downloaded for free.
  • The main Odoo components are the Open Object framework, about 30 core modules (also called official modules) and more than 5000 community modules. Most Odoo modules are available in OdooS.A' s marketplace where community could buy or download many modules for free.
  • As per 9 July 2018, 15759 Apps or modules were found on the marketplace in different categories. Most modules are served in all active versions of 9.0, 10.0 and 11.0.
  • Odoo uses Python scripting and PostgreSQL database. The software is accessed via a web browser in a one page app developed in JavaScript. The Community edition repository is on GitHub.

Some recent vulnerabilities in Odoo which got exploited:

CVE-2017-10803:

In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used.

CVE-2017-10804:

In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, remote attackers can bypass authentication under certain circumstances because parameters containing 0x00characters are truncated before reaching the database layer. This occurs because Psycopg 2.x before 2.6.3 isused.

CVE-2017-10805:

In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, incorrect access control on OAuth tokens in the OAuth module allows remote authenticated users to hijack OAuthsessions of other users.

CVE-2017-9416:

Directory traversal vulnerability in tools.file open in Odoo 8.0, 9.0, and 10.0 allows remote authenticated users to read arbitrary local files readable by theOdoo service.


Overall, we found the following noteworthy problems:

  1. Cookie Poisoning
  2. Session Termination
  3. Broken Access Control
  4. Cross Site Request Forgery
  5. Cross Site Scripting (XSS)
  6. Code Injection
  7. Sensitive Data Exposure
  8. Clickjacking
  9. Cross Frame Scripting (XFS)


Positive SSL