CVE-2018-14867 — Improper Access Control in Odoo

CWE-284 — Improper Access Control3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 50.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Odoo Debian Odoo

Timeline

PublishedJun 28

Latest updateMay 24

Description

Incorrect access control in the portal messaging system in Odoo Community 9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers to post messages on behalf of customers, and to guess document attribute values, via crafted parameters.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDodoo/odoo10.0, 9.0+1

▶debiandebian/odoo

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-rg76-2g6j-39fr: Incorrect access control in the portal messaging system in Odoo Community 9↗2022-05-24

▶

📋Vendor Advisories

Debian

CVE-2018-14867: odoo - Incorrect access control in the portal messaging system in Odoo Community 9.0 an...↗2018

▶