CVE-2019-11785

MEDIUM

Odoo < 13.0 - Authenticated Improper Access Control in Mail Module Followers

Title source: llm
STIX 2.1

Description

Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages.

References (1)

Core 1
Core References
Third Party Advisory x_refsource_misc
https://github.com/odoo/odoo/issues/63710

Scores

CVSS v3 4.3
EPSS 0.0147
EPSS Percentile 70.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-284 CWE-862
Status published
Products (1)
odoo/odoo < 13.0 (2 CPE variants)
Published Dec 22, 2020
Tracked Since Feb 18, 2026