CVE-2018-14864 — Improper Access Control in Odoo

CWE-284 — Improper Access Control4 documents4 sources

Severity

6.5MEDIUMNVD

OSV7.5

EPSS

0.1%

top 67.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Exiv2 Odoo Debian Odoo

Timeline

PublishedJul 3

Latest updateMay 24

Description

Incorrect access control in asset bundles in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier allows remote authenticated users to inject arbitrary web script via a crafted attachment.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDodoo/odoo10.0, 8.0, 9.0+2

▶debiandebian/odoo

▶Ubuntuexiv2/exiv2< 0.23-1ubuntu2.2+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-9v5r-6q88-g5fm: Incorrect access control in asset bundles in Odoo Community 9↗2022-05-24

▶

OSV

exiv2 vulnerabilities↗2019-01-10

▶

📋Vendor Advisories

Debian

CVE-2018-14864: odoo - Incorrect access control in asset bundles in Odoo Community 9.0 through 11.0 and...↗2018

▶