CVE-2018-14866 — Incorrect Permission Assignment in Odoo

CWE-732 — Incorrect Permission Assignment3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.3%

top 50.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Odoo Debian Odoo

Timeline

PublishedJul 3

Latest updateMay 24

Description

Incorrect access control in the TransientModel framework in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated attackers to access data in transient records that they do not own by making an RPC call before garbage collection occurs.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDodoo/odoo10.0, 11.0, 9.0+2

▶debiandebian/odoo

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-72cg-9pgw-xm8h: Incorrect access control in the TransientModel framework in Odoo Community 11↗2022-05-24

▶

📋Vendor Advisories

Debian

CVE-2018-14866: odoo - Incorrect access control in the TransientModel framework in Odoo Community 11.0 ...↗2018

▶