CVE-2018-14886 — Incorrect Permission Assignment in Odoo

CWE-732 — Incorrect Permission Assignment3 documents3 sources

Severity

4.9MEDIUMNVD

EPSS

0.3%

top 48.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Odoo Debian Odoo

Timeline

PublishedJun 28

Latest updateMay 24

Description

The module-description renderer in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not disable RST's local file inclusion, which allows privileged authenticated users to read local files via a crafted module description.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

▶NVDodoo/odoo10.0, 11.0, 9.0+2

▶debiandebian/odoo

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-3h3h-vg74-fvqw: The module-description renderer in Odoo Community 11↗2022-05-24

▶

📋Vendor Advisories

Debian

CVE-2018-14886: odoo - The module-description renderer in Odoo Community 11.0 and earlier and Odoo Ente...↗2018

▶