#VU39061 Improper Authentication in dolibarr
Vulnerability identifier: #VU39061
Vulnerability risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-287
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
dolibarr
Web applications /
CRM systems
Vendor: Dolibarr ERP & CRM
Description
The vulnerability allows a local non-authenticated attacker to execute arbitrary code.
Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes it easier for physically proximate attackers to obtain access via an unattended workstation.
Mitigation
Install update from vendor's website.
Vulnerable software versions
dolibarr: 4.0.4
External links
http://www.foxmole.com/advisories/foxmole-2017-02-23.txt
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
