Multiple vulnerabilities in Dolibarr



Published: 2020-01-28 | Updated: 2021-07-19
Risk Medium
Patch available YES
Number of vulnerabilities 5
CVE-ID CVE-2020-7995
CVE-2020-7994
CVE-2020-7996
CVE-2020-11823
CVE-2020-11825
CWE-ID CWE-799
CWE-79
CWE-352
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #4 is available.
Vulnerable software
Subscribe
dolibarr
Web applications / CRM systems

Vendor Dolibarr ERP & CRM

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

Updated 23.04.2020

Added vulnerabilities #4-5

1) Improper control of interaction frequency

EUVDB-ID: #VU24709

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-7995

CWE-ID: CWE-799 - Improper Control of Interaction Frequency

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform a brute-force attack.

The vulnerability exists due to the affected software lacks brute force protection in the "htdocs/index.php?mainmenu=home" login page. A remote attacker can launch a brute-force authentication attack in order to gain access to the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

dolibarr: 10.0.6


CPE2.3 External links

http://github.com/tufangungor/tufangungor.github.io/blob/master/_posts/2020-01-19-dolibarr-10.0.6-brute-force.md
http://tufangungor.github.io/exploit/2020/01/18/dolibarr-10.0.6-brute-force.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Cross-site scripting

EUVDB-ID: #VU24708

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-7994

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via multiple parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

This vulnerability affects the following parameters:

  • label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page
  • name[constname] parameter to the /htdocs/admin/const.php?mainmenu=home page
  • note[note] parameter to the /htdocs/admin/dict.php?id=10 page
  • zip[MAIN_INFO_SOCIETE_ZIP] or email[mail] parameter to the /htdocs/admin/company.php page
  • url[defaulturl], field[defaultkey], or value[defaultvalue] parameter to the /htdocs/admin/defaultvalues.php page
  • key[transkey] or key[transvalue] parameter to the /htdocs/admin/translation.php page
  • [main_motd] or [main_home] parameter to the /htdocs/admin/ihm.php page

Mitigation

Install update from vendor's website.

Vulnerable software versions

dolibarr: 10.0.6


CPE2.3 External links

http://github.com/tufangungor/tufangungor.github.io/blob/master/0days.md
http://tufangungor.github.io/0days

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Cross-site scripting

EUVDB-ID: #VU24707

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-7996

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks via the Referer HTTP header.

The vulnerability exists due to insufficient sanitization of user-supplied data in Referer HTTP header in htdocs/user/passwordforgotten.php. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

dolibarr: 10.0.6


CPE2.3 External links

http://github.com/tufangungor/tufangungor.github.io/blob/master/_posts/2020-01-19-dolibarr-10.0.6-xss-in-http-header.md
http://tufangungor.github.io/exploit/2020/01/18/dolibarr-10.0.6-xss-in-http-header.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Stored cross-site scripting

EUVDB-ID: #VU27246

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-11823

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data on the admin tools --> audit page if USER_LOGIN_FAILED is active. A remote attacker can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

PoC:

<object data="data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoZG9jdW1lbnQuZG9tYWluKT4="></object>

Mitigation

Install update from vendor's website.

Vulnerable software versions

dolibarr: 10.0.6


CPE2.3 External links

http://fatihhcelik.blogspot.com/2020/04/dolibarr-stored-xss.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Cross-site request forgery

EUVDB-ID: #VU27247

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-11825

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to any CSRF token in any user's session can be used in another user's session. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation

Install update from vendor's website.

Vulnerable software versions

dolibarr: 10.0.6


CPE2.3 External links

http://fatihhcelik.blogspot.com/2020/04/dolibarr-csrf.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###