CVE-2024-12368

HighPublic PoC

Published: 25 February 2025

Published

25 February 2025

Modified

28 February 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0005 16.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

Security Summary

CVE-2024-12368 is an improper access control vulnerability (CWE-284) in the auth_oauth module of Odoo Community 15.0 and Odoo Enterprise 15.0. Published on 2025-02-25, it enables an internal user to export OAuth tokens belonging to other users, earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

The vulnerability can be exploited by an authenticated internal user with low privileges over the network, requiring low complexity and no user interaction. Successful exploitation allows the attacker to export OAuth tokens of other users, potentially compromising confidentiality and integrity by granting unauthorized access to external services or resources linked via those tokens.

Mitigation details and patches are discussed in the Odoo GitHub issue at https://github.com/odoo/odoo/issues/193854.

Details

CWE(s): CWE-284NVD-CWE-noinfo

Affected Products

odoo

15.0

MITRE ATT&CK Enterprise Techniques

T1528 Steal Application Access Token Credential Access

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

attack.mitre.org →

Why these techniques?

The vulnerability enables authenticated internal users to export other users' OAuth tokens via the export feature due to improper access control, directly facilitating the theft of application access tokens for session hijacking and privilege escalation.

References

https://github.com/odoo/odoo/issues/193854
Exploit, Issue Tracking, Third Party Advisory · security@odoo.com