CVE-2018-14867

MEDIUM

Odoo Community 9.0-10.0 and Odoo Enterprise 9.0-10.0 - Improper Access Control in Portal Messaging System

Title source: llm
STIX 2.1

Description

Incorrect access control in the portal messaging system in Odoo Community 9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers to post messages on behalf of customers, and to guess document attribute values, via crafted parameters.

References (2)

Core 2
Core References
Third Party Advisory x_refsource_misc
https://github.com/odoo/odoo/commits/master
Patch, Third Party Advisory x_refsource_confirm
https://github.com/odoo/odoo/issues/32503

Scores

CVSS v3 5.3
EPSS 0.0140
EPSS Percentile 69.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE
CWE-284
Status published
Products (2)
odoo/odoo 9.0 (2 CPE variants)
odoo/odoo 10.0 (2 CPE variants)
Published Jun 28, 2019
Tracked Since Feb 18, 2026