CVE-2018-14864

MEDIUM

Odoo 9.0-11.0 Authenticated Arbitrary Web Script Injection via Asset Bundle

Title source: llm
STIX 2.1

Description

Incorrect access control in asset bundles in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier allows remote authenticated users to inject arbitrary web script via a crafted attachment.

References (1)

Core 1
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/odoo/odoo/issues/32502

Scores

CVSS v3 6.5
EPSS 0.0118
EPSS Percentile 64.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-284
Status published
Products (3)
odoo/odoo 8.0 (2 CPE variants)
odoo/odoo 9.0 (2 CPE variants)
odoo/odoo 10.0 (2 CPE variants)
Published Jul 03, 2019
Tracked Since Feb 18, 2026