SB2020012815 - Multiple vulnerabilities in Dolibarr

Security Bulletin ID SB2020012815

Severity

Medium

Patch available

YES

Number of vulnerabilities 5

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Improper control of interaction frequency (CVE-ID: CVE-2020-7995)

The vulnerability allows a remote attacker to perform a brute-force attack.

The vulnerability exists due to the affected software lacks brute force protection in the "htdocs/index.php?mainmenu=home" login page. A remote attacker can launch a brute-force authentication attack in order to gain access to the system.

2) Cross-site scripting (CVE-ID: CVE-2020-7994)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via multiple parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

This vulnerability affects the following parameters:

label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page

name[constname] parameter to the /htdocs/admin/const.php?mainmenu=home page

note[note] parameter to the /htdocs/admin/dict.php?id=10 page

zip[MAIN_INFO_SOCIETE_ZIP] or email[mail] parameter to the /htdocs/admin/company.php page

url[defaulturl], field[defaultkey], or value[defaultvalue] parameter to the /htdocs/admin/defaultvalues.php page

key[transkey] or key[transvalue] parameter to the /htdocs/admin/translation.php page

[main_motd] or [main_home] parameter to the /htdocs/admin/ihm.php page

3) Cross-site scripting (CVE-ID: CVE-2020-7996)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks via the Referer HTTP header.

The vulnerability exists due to insufficient sanitization of user-supplied data in Referer HTTP header in htdocs/user/passwordforgotten.php. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

4) Stored cross-site scripting (CVE-ID: CVE-2020-11823)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data on the admin tools --> audit page if USER_LOGIN_FAILED is active. A remote attacker can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

PoC:

5) Cross-site request forgery (CVE-ID: CVE-2020-11825)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to any CSRF token in any user's session can be used in another user's session. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Remediation

Install update from vendor's website.

SB2020012815 - Multiple vulnerabilities in Dolibarr

Breakdown by Severity

Description

Remediation

References

Please verify you're human