SB2020032305 - Multiple vulnerabilities in Dolibarr ERP/CRM
Published: March 23, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) SQL injection (CVE-ID: CVE-2019-19212)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "qty" parameter in the "/dolibarr/htdocs/product/fournisseurs.php" file. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
2) Cross-site scripting (CVE-ID: CVE-2019-19211)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in multiple parameters in "/dolibarr/htdocs/user/card.php" file. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
PoC:
signature:
/dolibarr/htdocs/user/card.php?id=2&action=create&signature=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E
lastname:
/dolibarr/htdocs/user/card.php?id=2&action=create&lastname=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E
firstname:
/dolibarr/htdocs/user/card.php?id=2&action=create&firstname=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E
office_phone:
/dolibarr/htdocs/user/card.php?id=2&action=create&office_phone=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E
user_mobile:
/dolibarr/htdocs/user/card.php?id=2&action=create&user_mobile=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E
office_fax:
/dolibarr/htdocs/user/card.php?id=2&action=create&office_fax=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E
email:
/dolibarr/htdocs/user/card.php?id=2&action=create&email=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E
job:
/dolibarr/htdocs/user/card.php?id=2&action=create&job=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E
weeklyhours:
/dolibarr/htdocs/user/card.php?id=2&action=create&weeklyhours=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3Ethm:
/dolibarr/htdocs/user/card.php?id=2&action=create&thm=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E
tjm:
/dolibarr/htdocs/user/card.php?id=2&action=create&tjm=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E
salary:
/dolibarr/htdocs/user/card.php?id=2&action=create&salary=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3Eaccountancy_code:
/dolibarr/htdocs/user/card.php?id=2&action=create&accountancy_code=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3Ecolor:
/dolibarr/htdocs/user/card.php?id=2&action=create&color=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E3) Cross-site scripting (CVE-ID: CVE-2019-19210)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to uploaded HTML documents are served as text/html despite being renamed to ".noexe" files. A remote authenticated attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Cross-site scripting (CVE-ID: CVE-2019-19209)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "Accept-Language" HTTP Header in "/dolibarr/htdocs/admin/system/dolibarr.php", "mails_templates.php" and "main.inc.php" files. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) SQL injection (CVE-ID: CVE-2019-19209)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the HTTP Header "Accept-Language" in "/dolibarr/htdocs/admin/mails_templates.php". A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Remediation
Install update from vendor's website.
References
- https://herolab.usd.de/en/security-advisories/
- https://herolab.usd.de/security-advisories/usd-2019-0054/
- https://www.dolibarr.org/forum/dolibarr-changelogs
- https://herolab.usd.de/en/security-advisories/usd-2019-0053/
- https://herolab.usd.de/security-advisories/usd-2019-0052/
- https://snyk.io/vuln/SNYK-PHP-DOLIBARRDOLIBARR-560379
- https://herolab.usd.de/security-advisories/usd-2019-0051/
- https://www.dolibarr.org/forum/c/announcements-news