CVE-2019-11785 (GCVE-0-2019-11785)
Vulnerability from cvelistv5 – Published: 2020-12-22 16:25 – Updated: 2024-08-04 23:03
VLAI?
Summary
Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages.
Severity ?
6.5 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Odoo | Odoo Community |
Affected:
unspecified , ≤ 13.0
(custom)
|
|||||||
|
|||||||||
Credits
Nils Hamerlinck (Trobz)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:03:32.751Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/odoo/odoo/issues/63710"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Odoo Community",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Odoo Enterprise",
"vendor": "Odoo",
"versions": [
{
"lessThanOrEqual": "13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nils Hamerlinck (Trobz)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T16:25:38",
"orgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"shortName": "odoo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/odoo/odoo/issues/63710"
}
],
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@odoo.com",
"ID": "CVE-2019-11785",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Odoo Community",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "13.0"
}
]
}
},
{
"product_name": "Odoo Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "13.0"
}
]
}
}
]
},
"vendor_name": "Odoo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nils Hamerlinck (Trobz)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": " CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/odoo/odoo/issues/63710",
"refsource": "MISC",
"url": "https://github.com/odoo/odoo/issues/63710"
}
]
},
"source": {
"advisory": "ODOO-SA-2020-12-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523",
"assignerShortName": "odoo",
"cveId": "CVE-2019-11785",
"datePublished": "2020-12-22T16:25:38",
"dateReserved": "2019-05-06T00:00:00",
"dateUpdated": "2024-08-04T23:03:32.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*\", \"versionEndIncluding\": \"13.0\", \"matchCriteriaId\": \"97EB1578-CFCC-4301-AEE7-DBBC6A92BC25\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*\", \"versionEndIncluding\": \"13.0\", \"matchCriteriaId\": \"3451E55A-C240-40BF-AA17-E11DC5A56002\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages.\"}, {\"lang\": \"es\", \"value\": \"Un control de acceso inapropiado en el m\\u00f3dulo mail (followers) en Odoo Community versiones 13.0 y anteriores y Odoo Enterprise versiones 13.0 y anteriores, permite a usuarios autenticados remotos obtener acceso a unos mensajes publicados en registros de empresas a los que no se les dio acceso, y suscribirse para recibir futuros mensajes\"}]",
"id": "CVE-2019-11785",
"lastModified": "2024-11-21T04:21:47.370",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}], \"cvssMetricV30\": [{\"source\": \"security@odoo.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:N/A:N\", \"baseScore\": 4.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2020-12-22T17:15:13.393",
"references": "[{\"url\": \"https://github.com/odoo/odoo/issues/63710\", \"source\": \"security@odoo.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/odoo/odoo/issues/63710\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "security@odoo.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security@odoo.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-862\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2019-11785\",\"sourceIdentifier\":\"security@odoo.com\",\"published\":\"2020-12-22T17:15:13.393\",\"lastModified\":\"2024-11-21T04:21:47.370\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages.\"},{\"lang\":\"es\",\"value\":\"Un control de acceso inapropiado en el m\u00f3dulo mail (followers) en Odoo Community versiones 13.0 y anteriores y Odoo Enterprise versiones 13.0 y anteriores, permite a usuarios autenticados remotos obtener acceso a unos mensajes publicados en registros de empresas a los que no se les dio acceso, y suscribirse para recibir futuros mensajes\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV30\":[{\"source\":\"security@odoo.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@odoo.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*\",\"versionEndIncluding\":\"13.0\",\"matchCriteriaId\":\"97EB1578-CFCC-4301-AEE7-DBBC6A92BC25\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*\",\"versionEndIncluding\":\"13.0\",\"matchCriteriaId\":\"3451E55A-C240-40BF-AA17-E11DC5A56002\"}]}]}],\"references\":[{\"url\":\"https://github.com/odoo/odoo/issues/63710\",\"source\":\"security@odoo.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/odoo/odoo/issues/63710\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…