Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
Warning: Two High Improper Access Control Vulnerabilities in Odoo Community & Enterprise, Patch Immediately!
Image
Veröffentlicht : 27/02/2025
Reference:
Advisory #2025-47
Version:
1.0
Affected software:
Odoo Community 15.0 and Odoo Enterprise 15.0
Odoo Community 17.0 and Odoo Enterprise 17.0
Type:
Improper Access Control
CVE/CVSS:
CVE-2024-12368: CVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
CVE-2024-36259: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Sources
NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12368
NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36259
Risks
On 25 February 2025, Odoo published two advisories about high vulnerabilities (CVE-2024-12368, CVE-2024-36259) affecting its Odoo Community and Odoo Enterprise applications.
Successful exploitation of CVE-2024-12368 can allow an authenticated remote attacker to export user’s Oath tokens. The vulnerable versions are Odoo Community and Enterprise 15.0 and below. Exploitation of CVE-2024-12368 can have a high impact on both Confidentiality and Integrity, but no impact on Availability.
Successful exploitation of CVE-2024-36259 can allow an authenticated remote attacker to extract sensitive user’s information. The vulnerable versions are Odoo Community Enterprise 17.0 and below. Exploitation of CVE-2024-36259 only has a high impact on Confidentiality and no impact on Integrity or Availability.
Description
Odoo is a Belgian company that has an open-source suite of business applications which help organizations manage various aspects of their operations, including CRM, sales, inventory, accounting, manufacturing, and HR. Odoo Community is free and open-source, while Odoo Enterprise is paid (per user) and it has more advanced features.
Both vulnerabilities stem from Improper Access Control.
CVE-2024-12368:
A remote authenticated attacker can take advantage of the vulnerability in the auth_oath module of Odoo Community 15.0 and Odoo Enterprise 15.0 and highjack another user’s session by stealing and using their OAuth token. That way they gain that user’s privileges (Privilege Escalation) and they gain access to that user’s account, system, files, and information which can lead to a data breach.
CVE-2024-36259:
A network-based attacker, who has been authenticated can take advantage of the vulnerability in the mail module of Odoo Community 17.0 and Odoo Enterprise 17.0 and extract sensitive information via a crafted oracle-based (yes/no) attack. That way they can gain unauthorized data access, which can lead to a data breach as they might be exposed and extract confidential information. Similarly, that can lead to privacy violations.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Odoo recommends updating to version 18.0 or the later.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Odoo advisory: https://github.com/odoo/odoo/issues/193854
Odoo advisory: https://github.com/odoo/odoo/issues/199330