cbcvebase.
CVE-2018-14885
published 2019-06-28

CVE-2018-14885: Incorrect access control in the database manager component in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows a remote attacker to…

PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
2.22%
80.5th percentile
Incorrect access control in the database manager component in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows a remote attacker to restore a database dump without knowing the super-admin password. An arbitrary password succeeds.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianodoo
odooodoo
odooodoo

Detection & IOCsextracted from sources · hover to see the quote

  • A remote attacker can restore a database dump using any arbitrary password in place of the super-admin password via the Odoo database manager component — monitor for unauthenticated or anomalous POST requests to the Odoo database manager restore endpoint (e.g., /web/database/restore)
  • ·Affected versions are Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0; the vulnerability is in the database manager component's access control logic
  • ·Debian bullseye and sid have resolved this CVE; verify patched package versions are deployed

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian9.8LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.