CVE-2018-14868 — Improper Authentication in Odoo

CWE-287 — Improper Authentication3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 59.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Odoo Debian Odoo

Timeline

PublishedJun 28

Latest updateMay 24

Description

Incorrect access control in the Password Encryption module in Odoo Community 9.0 and Odoo Enterprise 9.0 allows authenticated users to change the password of other users without knowing their current password via a crafted RPC call.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDodoo/odoo9.0

▶debiandebian/odoo

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-5x4h-v3qf-qw26: Incorrect access control in the Password Encryption module in Odoo Community 9↗2022-05-24

▶

📋Vendor Advisories

Debian

CVE-2018-14868: odoo - Incorrect access control in the Password Encryption module in Odoo Community 9.0...↗2018

▶