CVE-2021-44465: 
NixOS vulnerability analysis and mitigation

Improper access control vulnerability (CVE-2021-44465) affects Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier versions. The vulnerability was discovered by Swapnesh Shah and allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system through crafted RPC requests (Odoo Issue).

The vulnerability exists in the Website Mail module, which provides generic components for following group discussions on a website for external users. The core issue stems from improper content validation that allows users to follow arbitrary documents where the discussion feature is available, including ones the user does not have access to. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) (NVD).

The vulnerability allows attackers to follow private documents and receive future messages. In some cases, where the list of followers is used to determine access to the parent document, this could potentially be exploited to escalate privileges and read the content of followed documents through the portal. Odoo has stated they are not aware of any exploitation of this vulnerability in the wild (Odoo Issue).

No workaround is available for this vulnerability. Users are strongly recommended to update to the latest revision or apply the corresponding patch. For version 13.0, the fix is implemented in commit ef6f86d. Odoo Cloud servers were patched immediately upon the correction becoming available (Odoo Issue).