logo

Database

Cross-site request forgery In dolibarr/dolibarr

Description

Dolibarr Cross-Site Request Forgery (CSRF) An issue was discovered in Dolibarr. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2019-150622. NVD-2019-150623. OSV-2019-150624. GCVE-2019-15062

References

1. https://github.com/Dolibarr/dolibarr/issues/116712. https://github.com/Dolibarr/dolibarr/commit/18eb2a83fe7c2d01bdb34cceec389a6f9541e1f63. https://github.com/Dolibarr/dolibarr/commit/d21e5571007d2052a6b5f80a67b6f4cac693584a4. https://gauravnarwani.com/publications/CVE-2019-15062

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.