CVE-2018-14864
MEDIUMOdoo 9.0-11.0 Authenticated Arbitrary Web Script Injection via Asset Bundle
Title source: llmDescription
Incorrect access control in asset bundles in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier allows remote authenticated users to inject arbitrary web script via a crafted attachment.
References (1)
Core 1
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/odoo/odoo/issues/32502
Scores
CVSS v3
6.5
EPSS
0.0118
EPSS Percentile
64.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-284
Status
published
Products (3)
odoo/odoo
8.0 (2 CPE variants)
odoo/odoo
9.0 (2 CPE variants)
odoo/odoo
10.0 (2 CPE variants)
Published
Jul 03, 2019
Tracked Since
Feb 18, 2026