CVE-2024-36259
published 2025-02-25CVE-2024-36259: Improper access control in mail module of Odoo Community 17.0 and Odoo Enterprise 17.0 allows remote authenticated attackers to extract sensitive information…
PriorityP337medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.63%
45.7th percentile
Improper access control in mail module of Odoo Community 17.0 and Odoo Enterprise 17.0 allows remote authenticated attackers to extract sensitive information via an oracle-based (yes/no response) crafted attack.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | odoo | < odoo 18.0.0+dfsg-1 (sid) | odoo 18.0.0+dfsg-1 (sid) |
| odoo | odoo | — | — |
| odoo | odoo_community | master – 17.0 | — |
| odoo | odoo_enterprise | master – 17.0 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
osv6.5MEDIUM
vendor_debian7.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2024-36259: odoo - Improper access control in mail module of Odoo Community 17.0 and Odoo Enterpris...
vendor_debian·2024·CVSS 7.5
CVE-2024-36259 [HIGH] CVE-2024-36259: odoo - Improper access control in mail module of Odoo Community 17.0 and Odoo Enterpris...
Improper access control in mail module of Odoo Community 17.0 and Odoo Enterprise 17.0 allows remote authenticated attackers to extract sensitive information via an oracle-based (yes/no response) crafted attack.
Scope: local
bullseye: resolved
sid: resolved (fixed in 18.0.0+dfsg-1)
OSV
CVE-2024-36259: Improper access control in mail module of Odoo Community 17
osv·2025-02-25·CVSS 6.5
CVE-2024-36259 [MEDIUM] CVE-2024-36259: Improper access control in mail module of Odoo Community 17
Improper access control in mail module of Odoo Community 17.0 and Odoo Enterprise 17.0 allows remote authenticated attackers to extract sensitive information via an oracle-based (yes/no response) crafted attack.
GHSA
GHSA-x3g3-3qwm-w95x: Improper access control in mail module of Odoo Community 17
ghsa_unreviewed·2025-02-25
CVE-2024-36259 [HIGH] CWE-284 GHSA-x3g3-3qwm-w95x: Improper access control in mail module of Odoo Community 17
Improper access control in mail module of Odoo Community 17.0 and Odoo Enterprise 17.0 allows remote authenticated attackers to extract sensitive information via an oracle-based (yes/no response) crafted attack.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-02-25
Published