CVE-2024-31503

Published: Apr 17, 2024Modified: Jun 13, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:L

Exploitability: 1.0 / Impact: 6.0

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover.

Affected (1)

Products: Dolibarr: Dolibarr Erp/crm

Dolibarr

1 product

Dolibarr Erp/crm

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dolibarr Dolibarr Erp/crm	Before 19.0.1

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-31503.md

Source: cve@mitre.org

Third Party Advisory

https://github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-31503.md

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.