CVE-2018-14862

Vulnerability

In Odoo Community and Enterprise versions 9.0, 10.0, and 11.0 (and earlier), the mail templating system's shortcut removal mechanism lacks proper access control. An authenticated internal user can craft a malicious RPC request to delete arbitrary menuitems, not just their own shortcuts. The vulnerability resides in the mail component. [1]

Exploitation

An attacker needs a valid user account with network access to the Odoo instance. No special privileges are required beyond being an authenticated internal user. The attacker sends a crafted RPC request to the mail template endpoint, exploiting the shortcut removal functionality to target arbitrary menu entries. [1]

Impact

Successful exploitation allows the attacker to delete arbitrary menu items from the user interface. While no business data is lost, the system becomes difficult to use until repaired. The CVSS score is 7.1 (High) with vector CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H, indicating high availability impact. [1]

Mitigation

Odoo S.A. has released patches for all affected versions. Users should apply the corresponding patch or update to the latest revision. As a workaround, restrict create and write access to the mail.template model to trusted users only. Odoo Online servers were patched as soon as the correction was available. [1]