Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-14886

The module-description renderer in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not disable RST's local file inclusion, which allows privileged authenticated users to read local files via a crafted module description.

Published

2019-06-28T18:15:10.567

Last Modified

2024-11-21T03:50:00.927

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 4.9 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-732

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	odoo	odoo	9.0	Yes
Application	odoo	odoo	9.0	Yes
Application	odoo	odoo	10.0	Yes
Application	odoo	odoo	10.0	Yes
Application	odoo	odoo	11.0	Yes
Application	odoo	odoo	11.0	Yes

References

https://github.com/odoo/odoo/commits/master Third Party Advisory ([email protected])
https://github.com/odoo/odoo/issues/32513 Patch, Third Party Advisory ([email protected])
https://github.com/odoo/odoo/commits/master Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/odoo/odoo/issues/32513 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)