icon

We found results for “

CVE-2021-25954

Date: August 9, 2021

Overview

In “Dolibarr” application, v2.8.1 to v13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at “/adherents/note.php?id=1” endpoint.

Details

The “Dolibarr ERP CRM” does not restrict or incorrectly restricts access to a resource from an unauthorized actor, as a low privileged application user can modify the Private Note which only an administrator has rights to do, the affected field is at “/adherents/note.php?id=1” endpoint

PoC Details

For demonstration purposes we will use two users: “member1” (permissions to “Read members” and “Create/modify members”) and “admin” (administrator). Login to the application as member1. Go to My Dashboard option on the left pane and select member1 from the “Latest 5 members” section. Go to the Note option from the navigation bar and edit the public note and capture the request with a web proxy (example: burp suite). Then modify the request captured above by converting public to private as shown in the below image and forward the request. Then login with “admin” user and go to the same endpoint and will find that a private note has been created.

Affected Environments

2.8.1-13.0.4

Prevention

Upgrade to 14.0.0

Language: PHP

Good to know:

icon

Improper Access Control

CWE-284
icon

Upgrade Version

Upgrade to version dolibarr/dolibarr - 14.0.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privilegs Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information: