CVE-2018-14859

HIGH

Odoo Community <= 11.0 and Odoo Enterprise <= 11.0 - Authenticated Password Reset Token Hijacking

Title source: llm
STIX 2.1

Description

Incorrect access control in the password reset component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated users to reset the password of other users by being the first party to use the secure token.

References (1)

Core 1
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/odoo/odoo/issues/32510

Scores

CVSS v3 8.1
EPSS 0.0096
EPSS Percentile 57.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-284
Status published
Products (3)
odoo/odoo 9.0 (2 CPE variants)
odoo/odoo 10.0 (2 CPE variants)
odoo/odoo 11.0 (2 CPE variants)
Published Jul 03, 2019
Tracked Since Feb 18, 2026