Note: CVE IDs do not reflect the year of discovery, but are related to availability  in the pool of IDs reserved for Odoo as a CVE Numbering Authority.

# CVE-2018-15632

  Affects: Odoo 11.0 and earlier (Community and Enterprise Editions)

  Severity :: High :: 8.2 :: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

  Improper input validation in database creation logic in Odoo Community 11.0

  and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers

  to initialize an empty database on which they can connect with default

  credential

# CVE-2018-15633

  Affects: Odoo 11.0 and earlier (Community and Enterprise Editions)

  Severity :: High :: 7.1 :: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

  Cross-site scripting (XSS) issue in Documents module in Odoo Community 11.0

  and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers

  to inject arbitrary web script in the browser of a victim via crafted

  attachment filenames.

# CVE-2018-15634

  Affects: Odoo 14.0 and earlier (Community and Enterprise Editions)

  Severity :: High :: 7.1 :: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

  Cross-site scripting (XSS) issue in attachment management in Odoo Community

  14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote

  attackers to inject arbitrary web script in the browser of a victim via a

  crafted link.

# CVE-2018-15638

  Affects: Odoo 13.0 and earlier (Community and Enterprise Editions)

  Severity :: High :: 7.1 :: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

  Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0

  and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers

  to inject arbitrary web script in the browser of a victim via crafted

  channel names.

# CVE-2018-15641

  Affects: Odoo 11.0 through 14.0 (Community and Enterprise Editions)

  Severity :: Medium :: 6.3 :: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

  Cross-site scripting (XSS) issue in web module in Odoo Community 11.0

  through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote

  authenticated internal users to inject arbitrary web script in the

  browser of a victim via crafted calendar event attributes.

# CVE-2018-15645

  Affects: Odoo 12.0 and earlier (Community and Enterprise Editions)

  Severity :: High :: 8.1 :: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

  Improper access control in message routing in Odoo Community 12.0 and earlier

  and Odoo Enterprise 12.0 and earlier allows remote authenticated users

  to create arbitrary records via crafted payloads, which may allow privilege

  escalation.

# CVE-2019-11781

  Affects: Odoo 12.0 and earlier (Community and Enterprise Editions)

  Severity :: Medium :: 6.5 :: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

  Improper input validation in portal component in Odoo Community 12.0 and earlier

  and Odoo Enterprise 12.0 and earlier, allows remote attackers to trick

  victims into modifying their account via crafted links, leading to privilege

  escalation.

# CVE-2019-11782

  Affects: Odoo 14.0 and earlier (Community and Enterprise Editions)

  Severity :: Medium :: 6.5 :: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

  Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise

  14.0 and earlier, allows remote authenticated users with access to contact

  management to modify user accounts, leading to privilege escalation.

# CVE-2019-11783

  Affects: Odoo 14.0 and earlier (Community and Enterprise Editions)

  Severity :: Medium :: 6.5 :: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

  Improper access control in mail module (channel partners) in Odoo Community

  14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote

  authenticated users to subscribe to arbitrary mail channels uninvited.

# CVE-2019-11784

  Affects: Odoo 14.0 and earlier (Community and Enterprise Editions)

  Severity :: Medium :: 6.5 :: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

  Improper access control in mail module (notifications) in Odoo Community

  14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote

  authenticated users to obtain access to arbitrary messages in conversations

  they were not a party to.

# CVE-2019-11785

  Affects: Odoo 13.0 and earlier (Community and Enterprise Editions)

  Severity :: Medium :: 6.5 :: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

  Improper access control in mail module (followers) in Odoo Community 13.0

  and earlier and Odoo Enterprise 13.0 and earlier, allows remote

  authenticated users to obtain access to messages posted on business records

  there were not given access to, and subscribe to receive future messages.

# CVE-2019-11786

  Affects: Odoo 13.0 and earlier (Community and Enterprise Editions)

  Severity :: Medium :: 4.3 :: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

  Improper access control in Odoo Community 13.0 and earlier and Odoo

  Enterprise 13.0 and earlier, allows remote authenticated users to modify

  translated terms, which may lead to arbitrary content modification on

  translatable elements.

# CVE-2020-29396

  Affects: Odoo 11.0 through 14.0 (Community and Enterprise Editions)

  Severity :: Critical :: 9.9 :: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

  A sandboxing issue in Odoo Community 11.0 through 14.0 and Odoo Enterprise

  11.0 through 14.0, when running with Python 3.6, allows remote authenticated

  users to execute arbitrary code, leading to privilege escalation.