CVE-2018-14867
MEDIUMOdoo Community 9.0-10.0 and Odoo Enterprise 9.0-10.0 - Improper Access Control in Portal Messaging System
Title source: llmDescription
Incorrect access control in the portal messaging system in Odoo Community 9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers to post messages on behalf of customers, and to guess document attribute values, via crafted parameters.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://github.com/odoo/odoo/commits/master
Patch, Third Party Advisory x_refsource_confirm
https://github.com/odoo/odoo/issues/32503
Scores
CVSS v3
5.3
EPSS
0.0140
EPSS Percentile
69.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-284
Status
published
Products (2)
odoo/odoo
9.0 (2 CPE variants)
odoo/odoo
10.0 (2 CPE variants)
Published
Jun 28, 2019
Tracked Since
Feb 18, 2026