SB2020082110 - Multiple vulnerabilities in dolibarr
Published: August 21, 2020 Updated: September 16, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Improper Privilege Management (CVE-ID: CVE-2020-14201)
The vulnerability allows a remote authenticated user to manipulate data.
Dolibarr CRM before 11.0.5 allows privilege escalation. This could allow remote authenticated attackers to upload arbitrary files via societe/document.php in which "disabled" is changed to "enabled" in the HTML source code.
2) Cross-site scripting (CVE-ID: CVE-2020-13828)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Arbitrary file upload (CVE-ID: CVE-2020-14209)
The vulnerability allows a remote authenticated user to execute arbitrary code.
Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism).
Remediation
Install update from vendor's website.
References
- https://github.com/Dolibarr/dolibarr/blob/develop/ChangeLog
- https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-011
- https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-002
- https://github.com/Dolibarr/dolibarr/releases/tag/11.0.5
- https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-012