Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-10803Deserialization of Untrusted Data in Odoo

CWE-502Deserialization of Untrusted Data4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
1.6%
top 18.55%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
OdooDebian Odoo
Timeline
PublishedJul 4
Latest updateMay 13

Description

In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:HExploitability: 0.6 | Impact: 5.9

Affected Packages2 packages

NVDodoo/odoo10.0, 8.0, 9.0+2
debiandebian/odoo

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
GHSA
GHSA-wm9r-8vrh-fgpv: In Odoo 82022-05-13

💥Exploits & PoCs

1
Exploit-DB
Odoo CRM 10.0 - Code Execution2017-06-30

📋Vendor Advisories

1
Debian
CVE-2017-10803: odoo - In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9....2017