This security bulletin contains one low risk vulnerability.
Exploit availability: NoDescription
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in "dolibarr/user/card.php" and "dolibarr/admin/security.php" URLs. A remote attacker can trick the victim to visit a specially crafted web page and change user password, disable users and disable password encryptation.Mitigation
Install update from vendor's website.Vulnerable software versions
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?