CVE-2023-4197

Published: Nov 1, 2023Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

Affected (1)

Products: Dolibarr: Dolibarr Erp/crm

Dolibarr

1 product

Dolibarr Erp/crm

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dolibarr Dolibarr Erp/crm	Up to 18.0.1

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (4)

https://github.com/Dolibarr/dolibarr/commit/0ed6a63fb06be88be5a4f8bcdee83185eee4087e

Source: info@starlabs.sg

Patch

https://starlabs.sg/advisories/23/23-4197

Source: info@starlabs.sg

Third Party Advisory

https://github.com/Dolibarr/dolibarr/commit/0ed6a63fb06be88be5a4f8bcdee83185eee4087e

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://starlabs.sg/advisories/23/23-4197

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.