Security Research & Advisories

Privilege Escalation in Dolibarr CRM

Product Dolibarr
Affected Version(s) 11.0.4 and probably prior
Tested Version(s) 11.0.4 and 5.0.3
Vendor Notification June 12, 2020
Advisory Publication June 12, 2020 [without technical details]
Vendor Fix N/A
Public Disclosure N/A
Latest Modification June 12, 2020
CVE Identifier(s) Pending
Product Description Dolibarr ERP/CRM is an open source, free software package for small and medium companies, foundations or freelancers. It includes different features for enterprise resource planning (ERP) and customer relationship management (CRM) but also other features for different activities.
Credits Krzysztof Bednarski, Senior Cyber Security Consultant & Penetration Tester @wizlynx group

Vulnerability Details

Privilege Escalation
Severity: Medium CVSS Score: 4.3 CWE-ID: CWE-269 Status: Open
Vulnerability Description
The application Dolibarr CRM is affected by a privilege escalation in version 11.0.4 and prior versions (confirmed on 11.0.4 and 5.0.3). These vulnerabilities could allow remote authenticated attackers to upload arbitrary files.
CVSS Base Score
Attack Vector Network Scope Unchanged
Attack Complexity Low Confidentiality Impact None
Privileges Required Low Integrity Impact Low
User Interaction Not Required Availability Impact None


Full details about the vulnerability will be disclosed once the vendor has provided a patch.