Security Research & Advisories

Unrestricted Upload of File with Dangerous Type in Dolibarr CRM

Vendor
Product Dolibarr
Affected Version(s) 11.0.4 and probably prior
Tested Version(s) 11.0.4 and 5.0.3
Vendor Notification June 16, 2020
Advisory Publication June 16, 2020 [without technical details]
Vendor Fix N/A
Public Disclosure N/A
Latest Modification June 16, 2020
CVE Identifier(s) CVE-2020-14209
Product Description Dolibarr ERP/CRM is an open source, free software package for small and medium companies, foundations or freelancers. It includes different features for enterprise resource planning (ERP) and customer relationship management (CRM) but also other features for different activities.
Credits Andrea Gonzalez, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Unrestricted Upload of File with Dangerous Type
Severity: High CVSS Score: 8.8 CWE-ID: CWE-434 Status: Open
Vulnerability Description
The application Dolibarr 11.0.4 and probably prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the vulnerable application.
CVSS Base Score
Attack Vector Network Scope Unchanged
Attack Complexity Low Confidentiality Impact High
Privileges Required Low Integrity Impact High
User Interaction Not Required Availability Impact High

Description

Full details about the vulnerability will be disclosed once the vendor has provided a patch.

Top