Cyber Resilience

CVE-2024-36259

HighPublic PoC

Published: 25 February 2025

Published
25 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0009 24.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36259 is a high-severity Improper Access Control (CWE-284) vulnerability in Odoo Odoo. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-36259 is an improper access control vulnerability (CWE-284) affecting the mail module in Odoo Community 17.0 and Odoo Enterprise 17.0. Published on 2025-02-25, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability effects.

Remote authenticated attackers can exploit this vulnerability to extract sensitive information via an oracle-based crafted attack that relies on yes/no responses.

Further details on mitigation, including potential patches or workarounds, are available in the referenced advisory at https://github.com/odoo/odoo/issues/199330.

EU & UK References

Vulnerability details

Improper access control in mail module of Odoo Community 17.0 and Odoo Enterprise 17.0 allows remote authenticated attackers to extract sensitive information via an oracle-based (yes/no response) crafted attack.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1213.005 Messaging Applications Collection
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
Why these techniques?

The vulnerability enables exploitation for privilege escalation (T1068) via crafted RPC search queries with elevated privileges and facilitates collection of sensitive data from the mail messaging repository (T1213.005) using an oracle-based yes/no response mechanism for information extraction.

CVEs Like This One

CVE-2024-12368Same product: Odoo Odoo
CVE-2026-48898Shared CWE-284
CVE-2026-25176Shared CWE-284
CVE-2026-48899Shared CWE-284
CVE-2026-37526Shared CWE-284
CVE-2024-56883Shared CWE-284
CVE-2026-42823Shared CWE-284
CVE-2026-0844Shared CWE-284
CVE-2026-41086Shared CWE-284
CVE-2026-35242Shared CWE-284

Affected Assets

odoo
odoo
17.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to information and system resources, directly countering the improper access control in Odoo's mail module that enables sensitive information extraction.

prevent

Applies least privilege to limit authenticated users' access to only necessary resources, reducing the potential for oracle-based extraction of unauthorized sensitive data.

prevent

Provides for timely identification, reporting, and correction of the specific flaw in Odoo 17.0 mail module referenced in the advisory.

References