The module-description renderer in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not disable RST's local file inclusion, which allows privileged authenticated users to read local files via a crafted module description.
References
Link | Resource |
---|---|
https://github.com/odoo/odoo/commits/master | Third Party Advisory |
https://github.com/odoo/odoo/issues/32513 | Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-06-28T17:27:55
Updated: 2019-06-28T17:27:55
Reserved: 2018-08-03T00:00:00
Link: CVE-2018-14886
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-06-28T18:15:10.567
Modified: 2020-08-24T17:37:01.140
Link: CVE-2018-14886
JSON object: View
Redhat Information
No data.
CWE