Cyber Posture

CVE-2024-12368

HighPublic PoC

Published: 25 February 2025

Published
25 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0006 19.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12368 is a high-severity Improper Access Control (CWE-284) vulnerability in Odoo Odoo. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Steal Application Access Token (T1528). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Directly enforces approved authorizations for access to system resources like OAuth tokens, preventing unauthorized internal users from exporting tokens belonging to other users.

AC-6 Least Privilege good match
prevent

Implements least privilege to restrict low-privilege internal users from accessing or exporting OAuth tokens of other users.

IA-5 Authenticator Management partial match
prevent

Requires protection of authenticators including OAuth tokens from unauthorized disclosure, mitigating the improper access allowing their export.

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
attack.mitre.org →
Why these techniques?

The vulnerability enables authenticated internal users to export other users' OAuth tokens via the export feature due to improper access control, directly facilitating the theft of application access tokens for session hijacking and privilege escalation.

NVD Description

Improper access control in the auth_oauth module of Odoo Community 15.0 and Odoo Enterprise 15.0 allows an internal user to export the OAuth tokens of other users.

Deeper analysisAI

CVE-2024-12368 is an improper access control vulnerability (CWE-284) in the auth_oauth module of Odoo Community 15.0 and Odoo Enterprise 15.0. Published on 2025-02-25, it enables an internal user to export OAuth tokens belonging to other users, earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

The vulnerability can be exploited by an authenticated internal user with low privileges over the network, requiring low complexity and no user interaction. Successful exploitation allows the attacker to export OAuth tokens of other users, potentially compromising confidentiality and integrity by granting unauthorized access to external services or resources linked via those tokens.

Mitigation details and patches are discussed in the Odoo GitHub issue at https://github.com/odoo/odoo/issues/193854.

Details

CWE(s)
CWE-284NVD-CWE-noinfo

Affected Products

odoo
odoo
15.0

CVEs Like This One

CVE-2024-36259Same product: Odoo Odoo
CVE-2025-25950Shared CWE-284
CVE-2026-5786Shared CWE-284
CVE-2026-32768Shared CWE-284
CVE-2026-33109Shared CWE-284
CVE-2025-24968Shared CWE-284
CVE-2025-54914Shared CWE-284
CVE-2025-1941Shared CWE-284
CVE-2025-1259Shared CWE-284
CVE-2025-66956Shared CWE-284

References