#VU24709 Improper control of interaction frequency in dolibarr
Vulnerability identifier: #VU24709
Vulnerability risk: Medium
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-799
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
dolibarr
Web applications /
CRM systems
Vendor: Dolibarr ERP & CRM
Description
The vulnerability allows a remote attacker to perform a brute-force attack.
The vulnerability exists due to the affected software lacks brute force protection in the "htdocs/index.php?mainmenu=home" login page. A remote attacker can launch a brute-force authentication attack in order to gain access to the system.
Mitigation
Install update from vendor's website.
Vulnerable software versions
dolibarr: 10.0.6
External links
http://github.com/tufangungor/tufangungor.github.io/blob/master/_posts/2020-01-19-dolibarr-10.0.6-brute-force.md
http://tufangungor.github.io/exploit/2020/01/18/dolibarr-10.0.6-brute-force.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
