Odoo Community and Enterprise Improper Access Control Vulnerability in auth_oauth Module Allowing OAuth Token Export

A vulnerability exists in the auth_oauth module of Odoo Community and Enterprise versions 15.0. It allows internal users with export permissions to access and export the OAuth tokens of other users who have recently authenticated via an OAuth provider. This flaw in access control could lead to session hijacking, allowing a user to impersonate another user with higher privileges, but only within the limited validity period of the OAuth token.

Impact

Exploitation of this vulnerability could result in session hijacking of users authenticated via OAuth, allowing access to their privileges and data.

Remediation

Users are advised to update to the latest version of Odoo 15.0 Community or Enterprise. Odoo Cloud servers have already been patched. For on-premise installations, remove export permissions from untrusted internal users or uninstall the auth_oauth module if other login methods are available.