Command Injection in dolibarr - CVE-2018-10092
Published: May 22, 2018 / Updated: July 17, 2020
Vulnerability identifier: #VU31295
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2018-10092
CWE-ID: CWE-77
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Dolibarr ERP & CRM
Affected software:
dolibarr
dolibarr
Detailed vulnerability description
The vulnerability allows a remote authenticated user to execute arbitrary code.
The admin panel in Dolibarr before 7.0.2 might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file uploads.
How to mitigate CVE-2018-10092
Install update from vendor's website.
Sources
- http://www.openwall.com/lists/oss-security/2018/05/21/2
- https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLog
- https://github.com/Dolibarr/dolibarr/commit/5d121b2d3ae2a95abebc9dc31e4782cbc61a1f39
- https://sysdream.com/news/lab/2018-05-21-cve-2018-10092-dolibarr-admin-panel-authenticated-remote-code-execution-rce-vulnerability/