PT-2019-9066 · Odoo · Odoo Community+1

Nils Hamerlinck

Published

2019-06-28

Updated

2020-08-24

CVE-2018-14868

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Odoo Community version 9.0 Odoo Enterprise version 9.0

Description The issue is related to incorrect access control in the Password Encryption module, allowing authenticated users to change the password of other users without knowing their current password via a crafted RPC call.

Recommendations For Odoo Community version 9.0, update the Password Encryption module to enforce proper access control. For Odoo Enterprise version 9.0, update the Password Encryption module to enforce proper access control. As a temporary workaround, consider restricting access to the Password Encryption module until a patch is available.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2018-14868

Affected Products

Odoo Community

Odoo Enterprise

PT-2019-9066 · Odoo · Odoo Community+1

CVE-2018-14868

Weakness Enumeration

Related Identifiers

Affected Products

References · 5