{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Incorrect access control in the portal messaging system in Odoo Community 9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers to post messages on behalf of customers, and to guess document attribute values, via crafted parameters."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-28T17:37:45", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/odoo/odoo/commits/master"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/odoo/odoo/issues/32503"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-14867", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Incorrect access control in the portal messaging system in Odoo Community 9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers to post messages on behalf of customers, and to guess document attribute values, via crafted parameters."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/odoo/odoo/commits/master", "refsource": "MISC", "url": "https://github.com/odoo/odoo/commits/master"}, {"name": "https://github.com/odoo/odoo/issues/32503", "refsource": "CONFIRM", "url": "https://github.com/odoo/odoo/issues/32503"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-14867", "datePublished": "2019-06-28T17:37:45", "dateReserved": "2018-08-02T00:00:00", "dateUpdated": "2019-06-28T17:37:45", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:community:*:*:*", "matchCriteriaId": "C3F9E8F1-FAF7-44AE-8D05-BE717D247EDE", "vulnerable": true}, {"criteria": "cpe:2.3:a:odoo:odoo:9.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "167C709E-C8B2-4CCB-963E-E1D8C664190A", "vulnerable": true}, {"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:community:*:*:*", "matchCriteriaId": "C52F2EEB-11E5-49E8-AD06-3014FF2C2D24", "vulnerable": true}, {"criteria": "cpe:2.3:a:odoo:odoo:10.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "A4405E54-6C16-49D5-B632-3D72091B2FEB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Incorrect access control in the portal messaging system in Odoo Community 9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers to post messages on behalf of customers, and to guess document attribute values, via crafted parameters."}, {"lang": "es", "value": "El control de acceso incorrecto en el sistema de mensajer\u00eda del portal en Odoo Community versiones 9.0 y 10.0 y Odoo Enterprise versiones 9.0 y 10.0 permite a los atacantes remotos publicar mensajes en nombre de los clientes y adivinar los valores de los atributos de los documentos, a trav\u00e9s de par\u00e1metros dise\u00f1ados."}], "id": "CVE-2018-14867", "lastModified": "2019-07-05T13:24:30.603", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-28T18:15:10.410", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/odoo/odoo/commits/master"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/odoo/odoo/issues/32503"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}