CVE-2018-14886

MEDIUM

Odoo <11.0 - Privilege Escalation

Title source: llm

Description

The module-description renderer in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not disable RST's local file inclusion, which allows privileged authenticated users to read local files via a crafted module description.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_misc

https://github.com/odoo/odoo/commits/master

Patch, Third Party Advisory x_refsource_confirm

https://github.com/odoo/odoo/issues/32513

Scores

CVSS v3 4.9

EPSS 0.0028

EPSS Percentile 51.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-732

Status published

Products (3)

odoo/odoo 9.0 (2 CPE variants)

odoo/odoo 10.0 (2 CPE variants)

odoo/odoo 11.0 (2 CPE variants)

Published Jun 28, 2019

Tracked Since Feb 18, 2026