CVE-2018-14862 — Incorrect Permission Assignment in Odoo

CWE-732 — Incorrect Permission Assignment4 documents4 sources

Severity

6.5MEDIUMNVD

OSV7.5

EPSS

0.3%

top 51.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Exiv2 Odoo Debian Odoo

Timeline

PublishedJul 3

Latest updateMay 24

Description

Incorrect access control in the mail templating system in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated internal users to delete arbitrary menuitems via a crafted RPC request.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDodoo/odoo10.0, 11.0, 9.0+2

▶debiandebian/odoo

▶Ubuntuexiv2/exiv2< 0.23-1ubuntu2.2+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-c2pj-wg92-r762: Incorrect access control in the mail templating system in Odoo Community 11↗2022-05-24

▶

OSV

exiv2 vulnerabilities↗2019-01-10

▶

📋Vendor Advisories

Debian

CVE-2018-14862: odoo - Incorrect access control in the mail templating system in Odoo Community 11.0 an...↗2018

▶