OdooCheck/Dashboard

Error Explorer

Browse, filter, and fix all detected issues

8 of 8 issues
criticalSEC-001

SQL injection via direct string formatting

models/sale_order.py:142

User input is directly concatenated into a SQL query without parameterization. This allows attackers to inject arbitrary SQL commands.

owasp-a03injectionsql
highORM-012

Missing sudo() in public controller method

AUTO-FIX

models/stock_move.py:78

A recordset operation is performed without sudo() in a method accessible from the public website, potentially exposing data.

access-controlorm
mediumPY-045

Deprecated @api.multi decorator used

AUTO-FIX

models/account.py:33

The @api.multi decorator was removed in Odoo 14. Use @api.model or plain methods instead.

deprecatedmigration
highXML-007

Unsafe eval() in domain attribute

views/sale_views.xml:56

The domain attribute uses eval() which can execute arbitrary Python code if attacker-controlled values reach this template.

xssevalsecurity
lowMAN-003

Missing license field in manifest

AUTO-FIX

__manifest__.py:8

The __manifest__.py file does not declare a license. This is required for Odoo App Store submissions and best practice.

manifestcompliance
mediumORM-019

N+1 query pattern detected in loop

models/hr_payslip.py:210

A database query is executed inside a for loop iterating over records. Use prefetch_fields or browse() with a list of IDs instead.

performanceormn+1
lowPY-088

Unused import statement

AUTO-FIX

wizards/import_wizard.py:55

The import 'datetime' is imported but never referenced in this file.

code-qualitycleanup
highSEC-009

Hardcoded API key in source code

controllers/main.py:89

A sensitive API key is hardcoded directly in the source file. Store secrets in environment variables or system parameters.

secretshardcodedowasp-a02