CVE-2021-44460

MEDIUM

Odoo < 13.0 - Improper Access Control via Crafted RPC Requests

Title source: llm
STIX 2.1

Description

Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows users with deactivated accounts to access the system with the deactivated account and any permission it still holds, via crafted RPC requests.

References (1)

Core 1
Core References
Issue Tracking, Patch, Vendor Advisory
https://github.com/odoo/odoo/issues/107685

Scores

CVSS v3 6.5
EPSS 0.0069
EPSS Percentile 48.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-284
Status published
Products (1)
odoo/odoo < 13.0 (2 CPE variants)
Published Apr 25, 2023
Tracked Since Feb 18, 2026