{"api_version":"1","generated_at":"2026-04-22T22:58:52+00:00","cve":"CVE-2021-23203","urls":{"html":"https://cve.report/CVE-2021-23203","api":"https://cve.report/api/cve/CVE-2021-23203.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-23203","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-23203"},"summary":{"title":"CVE-2021-23203","description":"Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests.","state":"PUBLIC","assigner":"security@odoo.com","published_at":"2023-04-25 19:15:00","updated_at":"2023-05-05 21:15:00"},"problem_types":["NVD-CWE-Other"],"metrics":[],"references":[{"url":"https://github.com/odoo/odoo/issues/107695","name":"https://github.com/odoo/odoo/issues/107695","refsource":"MISC","tags":[],"title":"[SEC] CVE-2021-23203 - Improper access control in reporting engine o... · Issue #107695 · odoo/odoo · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2023/dsa-5399","name":"https://www.debian.org/security/2023/dsa-5399","refsource":"MISC","tags":[],"title":"Debian -- Security Information -- DSA-5399-1 odoo","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-23203","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23203","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"23203","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"odoo","cpe5":"odoo","cpe6":"14.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"community","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23203","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"odoo","cpe5":"odoo","cpe6":"14.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23203","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"odoo","cpe5":"odoo","cpe6":"15.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"community","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23203","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"odoo","cpe5":"odoo","cpe6":"15.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-23203","qid":"181773","title":"Debian Security Update for odoo (DSA 5399-1)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2021-23203","ASSIGNER":"security@odoo.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Improper Access Control"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Odoo","product":{"product_data":[{"product_name":"Odoo Community","version":{"version_data":[{"version_affected":"<=","version_name":"14.0","version_value":"15.0"}]}},{"product_name":"Odoo Enterprise","version":{"version_data":[{"version_affected":"<=","version_name":"14.0","version_value":"15.0"}]}}]}}]}},"references":{"reference_data":[{"url":"https://github.com/odoo/odoo/issues/107695","refsource":"MISC","name":"https://github.com/odoo/odoo/issues/107695"},{"url":"https://www.debian.org/security/2023/dsa-5399","refsource":"MISC","name":"https://www.debian.org/security/2023/dsa-5399"}]},"credits":[{"lang":"eng","value":"Tiffany Chang"},{"lang":"eng","value":"iamsushi"},{"lang":"eng","value":"Ranjit Pahan"},{"lang":"eng","value":"Iago Ruiz"}],"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}]}},"nvd":{"publishedDate":"2023-04-25 19:15:00","lastModifiedDate":"2023-05-05 21:15:00","problem_types":["NVD-CWE-Other"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:odoo:odoo:14.0:*:*:*:community:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:odoo:odoo:14.0:*:*:*:enterprise:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:odoo:odoo:15.0:*:*:*:community:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:odoo:odoo:15.0:*:*:*:enterprise:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"23203","Ordinal":"212563","Title":"CVE-2021-23203","CVE":"CVE-2021-23203","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"23203","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}