PT-2025-7905 · Odoo+1 · Odoo Community+2

Bram Van Gaal

Published

2025-02-25

Updated

2025-03-10

CVE-2024-36259

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Odoo Community version 17.0 Odoo Enterprise version 17.0

Description The issue is related to improper access control in the mail module, allowing remote authenticated attackers to extract sensitive information through a crafted attack that relies on an oracle-based yes/no response.

Recommendations For Odoo Community version 17.0, update to a version that includes a fix for the improper access control issue in the mail module. For Odoo Enterprise version 17.0, update to a version that includes a fix for the improper access control issue in the mail module. As a temporary workaround, consider restricting access to the mail module to minimize the risk of exploitation.

Exploit

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

BIT-ODOO-2024-36259

CVE-2024-36259

Affected Products

Debian

Odoo Community

Odoo Enterprise

PT-2025-7905 · Odoo+1 · Odoo Community+2

CVE-2024-36259

Weakness Enumeration

Related Identifiers

Affected Products

References · 12