CVE-2018-14867

Name of the Vulnerable Software and Affected Versions Odoo Community versions 9.0 through 10.0 Odoo Enterprise versions 9.0 through 10.0

Description The issue is related to incorrect access control in the portal messaging system, allowing remote attackers to post messages on behalf of customers and guess document attribute values via crafted parameters.

Recommendations For Odoo Community versions 9.0 through 10.0, consider restricting access to the portal messaging system until a fix is available. For Odoo Enterprise versions 9.0 through 10.0, consider restricting access to the portal messaging system until a fix is available. As a temporary workaround, consider disabling the use of crafted parameters in the portal messaging system to minimize the risk of exploitation.