#VU31295 Command Injection in dolibarr - CVE-2018-10092
Published: May 22, 2018 / Updated: July 17, 2020
Vulnerability identifier: #VU31295
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2018-10092
CWE-ID: CWE-77
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
dolibarr
dolibarr
Software vendor:
Dolibarr ERP & CRM
Dolibarr ERP & CRM
Description
The vulnerability allows a remote authenticated user to execute arbitrary code.
The admin panel in Dolibarr before 7.0.2 might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file uploads.
Remediation
Install update from vendor's website.
External links
- http://www.openwall.com/lists/oss-security/2018/05/21/2
- https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLog
- https://github.com/Dolibarr/dolibarr/commit/5d121b2d3ae2a95abebc9dc31e4782cbc61a1f39
- https://sysdream.com/news/lab/2018-05-21-cve-2018-10092-dolibarr-admin-panel-authenticated-remote-code-execution-rce-vulnerability/