Multiple vulnerabilities in dolibarr
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2020-14201 CVE-2020-13828 CVE-2020-14209 |
| CWE-ID | CWE-269 CWE-79 CWE-434 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #3 is available. |
| Vulnerable software |
dolibarr Web applications / CRM systems |
| Vendor | Dolibarr ERP & CRM |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
Updated: 16.09.2020
Changed bulletin title, added vulnerability #2-3.
1) Improper Privilege Management
EUVDB-ID: #VU46081
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-14201
CWE-ID:
CWE-269 - Improper Privilege Management
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to manipulate data.
Dolibarr CRM before 11.0.5 allows privilege escalation. This could allow remote authenticated attackers to upload arbitrary files via societe/document.php in which "disabled" is changed to "enabled" in the HTML source code.
MitigationInstall update from vendor's website.
Vulnerable software versionsdolibarr: 11.0.0 alpha - 11.0.4
CPE2.3- cpe:2.3:a:dolibarr_erp_and_crm:dolibarr:11.0.0:alpha:*:*:*:*:*:*
- cpe:2.3:a:dolibarr_erp_and_crm:dolibarr:11.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dolibarr_erp_and_crm:dolibarr:11.0.1:*:*:*:*:*:*:*
https://github.com/Dolibarr/dolibarr/blob/develop/ChangeLog
https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-011
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site scripting
EUVDB-ID: #VU46546
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-13828
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsdolibarr: 11.0.0 alpha - 11.0.4
CPE2.3- cpe:2.3:a:dolibarr_erp_and_crm:dolibarr:11.0.0:alpha:*:*:*:*:*:*
- cpe:2.3:a:dolibarr_erp_and_crm:dolibarr:11.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dolibarr_erp_and_crm:dolibarr:11.0.1:*:*:*:*:*:*:*
https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-002
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Arbitrary file upload
EUVDB-ID: #VU46583
Risk: High
CVSSv4.0: 7.4 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2020-14209
CWE-ID:
CWE-434 - Unrestricted Upload of File with Dangerous Type
Exploit availability: Yes
DescriptionThe vulnerability allows a remote authenticated user to execute arbitrary code.
Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism).
MitigationInstall update from vendor's website.
Vulnerable software versionsdolibarr: 11.0.0 alpha - 11.0.4
CPE2.3- cpe:2.3:a:dolibarr_erp_and_crm:dolibarr:11.0.0:alpha:*:*:*:*:*:*
- cpe:2.3:a:dolibarr_erp_and_crm:dolibarr:11.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dolibarr_erp_and_crm:dolibarr:11.0.1:*:*:*:*:*:*:*
https://github.com/Dolibarr/dolibarr/releases/tag/11.0.5
https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-012
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
