logo

Database

Server side template injection In dolibarr/dolibarr

Description

Dolibarr ERP and CRM Code Injection Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content. Thus, a lower privileged user of the application can execute code under the context and permissions of the underlying web server.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2019-112012. NVD-2019-112013. OSV-2019-112014. GCVE-2019-11201

References

1. https://github.com/Dolibarr/dolibarr/issues/10984#issuecomment-4858411412. https://github.com/Dolibarr/dolibarr/commit/63c0ab93fb21f86c1b736061af9fa1eee90148fd3. https://know.bishopfox.com/advisories/dolibarr-version-9-0-1-vulnerabilities

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.