CVE-2018-14859 — Improper Access Control in Odoo

CWE-284 — Improper Access Control4 documents4 sources

Severity

8.1HIGHNVD

OSV7.5

EPSS

0.3%

top 42.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Exiv2 Odoo Debian Odoo

Timeline

PublishedJul 3

Latest updateMay 24

Description

Incorrect access control in the password reset component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated users to reset the password of other users by being the first party to use the secure token.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

▶NVDodoo/odoo10.0, 11.0, 9.0+2

▶debiandebian/odoo

▶Ubuntuexiv2/exiv2< 0.23-1ubuntu2.2+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-mm7q-pc32-xfrr: Incorrect access control in the password reset component in Odoo Community 11↗2022-05-24

▶

OSV

exiv2 vulnerabilities↗2019-01-10

▶

📋Vendor Advisories

Debian

CVE-2018-14859: odoo - Incorrect access control in the password reset component in Odoo Community 11.0 ...↗2018

▶