CVE-2019-11784

Description

Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in conversations they were not a party to.

How to fix CVE-2019-11784

To remediate CVE-2019-11784, upgrade the affected package to a fixed version below.

Debian/odoo—upgrade to 14.0.0+dfsg.2-1 or later

Is CVE-2019-11784 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 14.0.0+dfsg.2-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-11784