CVE-2017-10803

MEDIUM

Odoo 8.0, 9.0, 10.0 - Authenticated Remote Code Execution via Database Anonymization Unpickle

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-10803. PoCs published by SecuriTeam.

AI-analyzed exploit summary This exploit leverages insecure deserialization in Odoo CRM's Database Anonymization module via a crafted pickle file to achieve arbitrary Python code execution, resulting in a reverse shell. The PoC demonstrates the vulnerability by generating a malicious pickle file that executes a bash reverse shell command.

Description

In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used.

Exploits (1)

exploitdb WORKING POC
by SecuriTeam · locallinux
https://www.exploit-db.com/exploits/44064

This exploit leverages insecure deserialization in Odoo CRM's Database Anonymization module via a crafted pickle file to achieve arbitrary Python code execution, resulting in a reverse shell. The PoC demonstrates the vulnerability by generating a malicious pickle file that executes a bash reverse shell command.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Odoo CRM version 10.0
Auth required
Prerequisites: Administrator access to Odoo CRM · Database Anonymization module installed · Network connectivity to attacker-controlled listener
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/odoo/odoo/issues/17898

Scores

CVSS v3 6.5
EPSS 0.0359
EPSS Percentile 87.9%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (3)
odoo/odoo 8.0
odoo/odoo 9.0 (2 CPE variants)
odoo/odoo 10.0 (2 CPE variants)
Published Jul 04, 2017
Tracked Since Feb 18, 2026