#VU21426 Cross-site request forgery in dolibarr - CVE-2019-15062
Published: September 30, 2019 / Updated: September 30, 2019
Vulnerability identifier: #VU21426
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear
CVE-ID: CVE-2019-15062
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
dolibarr
dolibarr
Software vendor:
Dolibarr ERP & CRM
Dolibarr ERP & CRM
Description
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote authenticated attacker can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page, trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as completely take over the admin account.
Remediation
Install update from vendor's website.