#VU46081 Improper Privilege Management in dolibarr - CVE-2020-14201

Cybersecurity Help s.r.o.

Published: 2020-08-21 | Updated: 2020-08-26

Vulnerability identifier: #VU46081

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-14201

CWE-ID: CWE-269

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
dolibarr
Web applications / CRM systems

Vendor: Dolibarr ERP & CRM

Description

The vulnerability allows a remote authenticated user to manipulate data.

Dolibarr CRM before 11.0.5 allows privilege escalation. This could allow remote authenticated attackers to upload arbitrary files via societe/document.php in which "disabled" is changed to "enabled" in the HTML source code.

Mitigation
Install update from vendor's website.

Vulnerable software versions

dolibarr: 11.0.0 alpha - 11.0.4

External links
https://github.com/Dolibarr/dolibarr/blob/develop/ChangeLog
https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-011

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in dolibarr