CVE-2018-14860: OS Command Injection
First published: Wed Jul 03 2019(Updated: )
Improper sanitization of dynamic user expressions in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated privileged users to escape from the dynamic expression sandbox and execute arbitrary code on the hosting system.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Odoo Odoo | <=11.0 | |
| Odoo Odoo | <=11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2018-14860?
CVE-2018-14860 is a vulnerability in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier that allows authenticated privileged users to escape from the dynamic expression sandbox and execute arbitrary code on the hosting system.
How severe is CVE-2018-14860?
CVE-2018-14860 has a severity level of critical with a CVSS score of 9.1.
What software versions are affected by CVE-2018-14860?
Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier are affected by CVE-2018-14860.
How can I fix CVE-2018-14860?
To fix CVE-2018-14860, it is recommended to upgrade to a fixed version of Odoo Community or Odoo Enterprise.
Where can I find more information about CVE-2018-14860?
You can find more information about CVE-2018-14860 in the GitHub issue: https://github.com/odoo/odoo/issues/32505
- collector/nvd-index
- agent/references
- agent/severity
- agent/author
- agent/type
- agent/weakness
- agent/event
- agent/description
- agent/remedy
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/odoo
- canonical/odoo odoo
- version/odoo odoo/11.0