Cyber Posture

CVE-2024-36259

HighPublic PoC

Published: 25 February 2025

Published
25 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0015 34.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36259 is a high-severity Improper Access Control (CWE-284) vulnerability in Odoo Odoo. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for logical access to information and system resources, directly countering the improper access control in Odoo's mail module that enables sensitive information extraction.

AC-6 Least Privilege partial match
prevent

Applies least privilege to limit authenticated users' access to only necessary resources, reducing the potential for oracle-based extraction of unauthorized sensitive data.

SI-2 Flaw Remediation good match
prevent

Provides for timely identification, reporting, and correction of the specific flaw in Odoo 17.0 mail module referenced in the advisory.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1213.005 Messaging Applications Collection
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
attack.mitre.org →
Why these techniques?

The vulnerability enables exploitation for privilege escalation (T1068) via crafted RPC search queries with elevated privileges and facilitates collection of sensitive data from the mail messaging repository (T1213.005) using an oracle-based yes/no response mechanism for information extraction.

NVD Description

Improper access control in mail module of Odoo Community 17.0 and Odoo Enterprise 17.0 allows remote authenticated attackers to extract sensitive information via an oracle-based (yes/no response) crafted attack.

Deeper analysisAI

CVE-2024-36259 is an improper access control vulnerability (CWE-284) affecting the mail module in Odoo Community 17.0 and Odoo Enterprise 17.0. Published on 2025-02-25, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability effects.

Remote authenticated attackers can exploit this vulnerability to extract sensitive information via an oracle-based crafted attack that relies on yes/no responses.

Further details on mitigation, including potential patches or workarounds, are available in the referenced advisory at https://github.com/odoo/odoo/issues/199330.

Details

CWE(s)
CWE-284NVD-CWE-noinfo

Affected Products

odoo
odoo
17.0

CVEs Like This One

CVE-2024-12368Same product: Odoo Odoo
CVE-2025-54914Shared CWE-284
CVE-2025-21359Shared CWE-284
CVE-2025-24042Shared CWE-284
CVE-2026-2311Shared CWE-284
CVE-2026-0844Shared CWE-284
CVE-2026-23856Shared CWE-284
CVE-2026-35242Shared CWE-284
CVE-2025-24994Shared CWE-284
CVE-2026-27914Shared CWE-284

References