CVE-2018-14865 — Sensitive Information Exposure in Odoo

CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 54.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Odoo Debian Odoo

Timeline

PublishedJul 3

Latest updateMay 24

Description

Report engine in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier does not use secure options when passing documents to wkhtmltopdf, which allows remote attackers to read local files.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDodoo/odoo10.0, 11.0, 9.0+2

▶debiandebian/odoo

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-5vwc-gwcq-5rrq: Report engine in Odoo Community 9↗2022-05-24

▶

📋Vendor Advisories

Debian

CVE-2018-14865: odoo - Report engine in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise...↗2018

▶