CVE-2018-14859

Vulnerability

The password reset component in Odoo Community and Enterprise versions 11.0 and earlier contains an incorrect access control vulnerability (CVE-2018-14859) [1]. The auth_signup module exposes a secret field used to construct the secure reset password link that is not properly protected against access by internal users [1]. Affected versions include Odoo 9.0, 10.0, and 11.0 in both Community and Enterprise editions [1]. The vulnerability requires the "External Signup" module to be installed and enabled [1].

Exploitation

An attacker with a regular "Employee" account (low-privileged, authenticated user) can trigger a password reset for any target user, including administrators [1]. By being the first party to use the secure token generated in the reset process, the attacker can obtain the secret value and change the target's password before the legitimate user reacts to the password reset email [1]. The attack is network-accessible with low complexity and requires no user interaction [1].

Impact

Successful exploitation results in a full account takeover of the targeted user [1]. The attacker can gain high-privilege access if the target is an administrator, leading to compromise of confidentiality and integrity across the Odoo instance [1]. The victim may notice a suspicious password reset email and later be unable to sign in with their usual password, but the attacker can abuse the compromised credentials before the victim reacts [1].

Mitigation

Odoo S.A. released patches for the affected versions; Odoo Online servers were patched as soon as the correction was available [1]. For on-premises installations, administrators should apply the patches corresponding to their version [1]. As a workaround, the password reset feature can be disabled, though this removes a convenient functionality [1]. Applying the patch or updating is strongly recommended [1].