CVE-2019-11783 — Improper Access Control in Odoo

CWE-284 — Improper Access Control CWE-862 — Missing Authorization CWE-732 — Incorrect Permission Assignment4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 43.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Odoo Debian Odoo Odoo Community +1 more

Timeline

PublishedDec 22

Latest updateMay 24

Description

Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail channels uninvited.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5odoo/odoo_communityunspecified — 14.0

▶CVEListV5odoo/odoo_enterpriseunspecified — 14.0

▶debiandebian/odoo< odoo 14.0.0+dfsg.2-1 (bullseye)

▶Debianodoo/odoo< 14.0.0+dfsg.2-1

▶NVDodoo/odoo14.0

🔴Vulnerability Details

GHSA

GHSA-c6gp-grvf-r987: Improper access control in mail module (channel partners) in Odoo Community 14↗2022-05-24

▶

OSV

CVE-2019-11783: Improper access control in mail module (channel partners) in Odoo Community 14↗2020-12-22

▶

📋Vendor Advisories

Debian

CVE-2019-11783: odoo - Improper access control in mail module (channel partners) in Odoo Community 14.0...↗2019

▶