CVE-2021-3991

Published: Nov 15, 2024Modified: Nov 19, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions.

Affected (1)

Products: Dolibarr: Dolibarr Erp/crm

1 product

Dolibarr Erp/crm

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dolibarr Dolibarr Erp/crm	Before 20.0.2

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

https://github.com/dolibarr/dolibarr/commit/63cd06394f39d60784d6e6a0ccf4867a71a6568f

Source: security@huntr.dev

Patch

https://huntr.com/bounties/58ddbd8a-0faf-4b3f-aec9-5850bb19ab67

Source: security@huntr.dev

Third Party Advisory

Timeline

No history available yet.