PT-2019-9063 · Wkhtmltopdf+2 · Wkhtmltopdf+3

Nils Hamerlinck

Published

2019-04-26

Updated

2019-07-05

CVE-2018-14865

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Odoo Community versions 9.0 through 11.0 Odoo Enterprise versions 9.0 through 11.0

Description The report engine in Odoo does not use secure options when passing documents to wkhtmltopdf, allowing remote attackers to read local files.

Recommendations For Odoo Community versions 9.0 through 11.0, consider updating to a version that uses secure options when passing documents to wkhtmltopdf. For Odoo Enterprise versions 9.0 through 11.0, consider updating to a version that uses secure options when passing documents to wkhtmltopdf. As a temporary workaround, consider restricting access to the report engine until a secure version is available.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

ALT-PU-2019-1740

CVE-2018-14865

Affected Products

Alt Linux

Odoo Community

Odoo Enterprise

Wkhtmltopdf

PT-2019-9063 · Wkhtmltopdf+2 · Wkhtmltopdf+3

CVE-2018-14865

Weakness Enumeration

Related Identifiers

Affected Products

References · 5