{"api_version":"1","generated_at":"2026-04-22T22:57:27+00:00","cve":"CVE-2019-11785","urls":{"html":"https://cve.report/CVE-2019-11785","api":"https://cve.report/api/cve/CVE-2019-11785.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-11785","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-11785"},"summary":{"title":"CVE-2019-11785","description":"Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages.","state":"PUBLIC","assigner":"security@odoo.com","published_at":"2020-12-22 17:15:00","updated_at":"2021-10-28 16:18:00"},"problem_types":["CWE-862"],"metrics":[],"references":[{"url":"https://github.com/odoo/odoo/issues/63710","name":"https://github.com/odoo/odoo/issues/63710","refsource":"MISC","tags":["Third Party Advisory"],"title":"[SEC] CVE-2019-11785 - Affects: Odoo 13.0 and earlier (Community an... · Issue #63710 · odoo/odoo · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-11785","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11785","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Nils Hamerlinck (Trobz)","lang":""}],"nvd_cpes":[{"cve_year":"2019","cve_id":"11785","vulnerable":"1","versionEndIncluding":"13.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"odoo","cpe5":"odoo","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"community","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11785","vulnerable":"1","versionEndIncluding":"13.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"odoo","cpe5":"odoo","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2019-11785","ASSIGNER":"security@odoo.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Odoo Community","version":{"version_data":[{"version_affected":"<=","version_value":"13.0"}]}},{"product_name":"Odoo Enterprise","version":{"version_data":[{"version_affected":"<=","version_value":"13.0"}]}}]},"vendor_name":"Odoo"}]}},"credit":[{"lang":"eng","value":"Nils Hamerlinck (Trobz)"}],"description":{"description_data":[{"lang":"eng","value":"Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":" CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.0"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-284 Improper Access Control"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://github.com/odoo/odoo/issues/63710","name":"https://github.com/odoo/odoo/issues/63710"}]},"source":{"advisory":"ODOO-SA-2020-12-02","discovery":"EXTERNAL"}},"nvd":{"publishedDate":"2020-12-22 17:15:00","lastModifiedDate":"2021-10-28 16:18:00","problem_types":["CWE-862"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*","versionEndIncluding":"13.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*","versionEndIncluding":"13.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"11785","Ordinal":"150107","Title":"CVE-2019-11785","CVE":"CVE-2019-11785","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"11785","Ordinal":"1","NoteData":"Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"11785","Ordinal":"2","NoteData":"2020-12-22","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"11785","Ordinal":"3","NoteData":"2020-12-22","Type":"Other","Title":"Modified"}]}}}