Описание
The module-description renderer in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not disable RST's local file inclusion, which allows privileged authenticated users to read local files via a crafted module description.
Ссылки
- Third Party Advisory
- PatchThird Party Advisory
- Third Party Advisory
- PatchThird Party Advisory
Уязвимые конфигурации
Конфигурация 1
Одно из
cpe:2.3:a:odoo:odoo:9.0:*:*:*:community:*:*:*
cpe:2.3:a:odoo:odoo:9.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:odoo:odoo:10.0:*:*:*:community:*:*:*
cpe:2.3:a:odoo:odoo:10.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:odoo:odoo:11.0:*:*:*:community:*:*:*
cpe:2.3:a:odoo:odoo:11.0:*:*:*:enterprise:*:*:*
EPSS
Процентиль: 51%
0.00282
Низкий
4.9 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-732
Связанные уязвимости
CVSS3: 4.9
debian
больше 6 лет назад
The module-description renderer in Odoo Community 11.0 and earlier and ...
github
больше 3 лет назад
The module-description renderer in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not disable RST's local file inclusion, which allows privileged authenticated users to read local files via a crafted module description.
EPSS
Процентиль: 51%
0.00282
Низкий
4.9 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-732