Cyber Posture

CVE-2024-36259

HighPublic PoC

Published: 25 February 2025

Published
25 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0009 24.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.

Security Summary

CVE-2024-36259 is an improper access control vulnerability (CWE-284) affecting the mail module in Odoo Community 17.0 and Odoo Enterprise 17.0. Published on 2025-02-25, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability effects.

Remote authenticated attackers can exploit this vulnerability to extract sensitive information via an oracle-based crafted attack that relies on yes/no responses.

Further details on mitigation, including potential patches or workarounds, are available in the referenced advisory at https://github.com/odoo/odoo/issues/199330.

Details

CWE(s)
CWE-284NVD-CWE-noinfo

Affected Products

odoo
odoo
17.0

MITRE ATT&CK Enterprise Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1213.005 Messaging Applications Collection
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
attack.mitre.org →
Why these techniques?

The vulnerability enables exploitation for privilege escalation (T1068) via crafted RPC search queries with elevated privileges and facilitates collection of sensitive data from the mail messaging repository (T1213.005) using an oracle-based yes/no response mechanism for information extraction.

References