CVE-2018-14860 — OS Command Injection in Odoo

CWE-78 — OS Command Injection3 documents3 sources

Severity

9.1CRITICALNVD

EPSS

2.2%

top 15.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Odoo Debian Odoo

Timeline

PublishedJul 3

Latest updateMay 24

Description

Improper sanitization of dynamic user expressions in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated privileged users to escape from the dynamic expression sandbox and execute arbitrary code on the hosting system.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages2 packages

▶NVDodoo/odoo11.0

▶debiandebian/odoo

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-2xx6-c8x3-p4jj: Improper sanitization of dynamic user expressions in Odoo Community 11↗2022-05-24

▶

📋Vendor Advisories

Debian

CVE-2018-14860: odoo - Improper sanitization of dynamic user expressions in Odoo Community 11.0 and ear...↗2018

▶