CVE-2019-11784 — Improper Access Control in Odoo

CWE-284 — Improper Access Control CWE-862 — Missing Authorization CWE-668 — Resource Exposure4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 56.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Odoo Debian Odoo Odoo Community +1 more

Timeline

PublishedDec 22

Latest updateMay 24

Description

Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in conversations they were not a party to.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5odoo/odoo_communityunspecified — 14.0

▶CVEListV5odoo/odoo_enterpriseunspecified — 14.0

▶debiandebian/odoo< odoo 14.0.0+dfsg.2-1 (bullseye)

▶Debianodoo/odoo< 14.0.0+dfsg.2-1

▶NVDodoo/odoo14.0

🔴Vulnerability Details

GHSA

GHSA-9rp8-hcmg-4f3f: Improper access control in mail module (notifications) in Odoo Community 14↗2022-05-24

▶

OSV

CVE-2019-11784: Improper access control in mail module (notifications) in Odoo Community 14↗2020-12-22

▶

📋Vendor Advisories

Debian

CVE-2019-11784: odoo - Improper access control in mail module (notifications) in Odoo Community 14.0 an...↗2019

▶