CVE-2018-14864

Vulnerability

An incorrect access control vulnerability exists in the asset bundle caching mechanism of Odoo Community and Enterprise editions. The mechanism used to locate and serve cached asset bundles did not sufficiently validate the origin of the cached files, allowing a remote authenticated user to poison the cache with a crafted attachment. Affected versions include Odoo 8.0, 9.0, 10.0, and 11.0 (both Community and Enterprise) and earlier [1].

Exploitation

An attacker needs only an authenticated user account, including a simple portal user account. The attacker uploads a specially crafted attachment to poison the asset bundle cache. No additional privileges or user interaction beyond the initial authentication are required [1].

Impact

Successful exploitation allows the attacker to inject arbitrary JavaScript and CSS code into asset bundles. This can be used to hijack the sessions of any user accessing the Odoo database via a web browser, potentially leading to privilege escalation and unauthorized access to sensitive data [1].

Mitigation

No official patch version is specified in the advisory. As a workaround, administrators can modify the Access Control for Attachments (ir.attachment) to prevent external users (portal users) from creating or modifying attachments. For internal users, further restrictions can be applied to prevent all users from creating or modifying attachments if acceptable [1].