Dolibarr Erp Crm
CVE-2023-38886
HIGH
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script.
AnalysisAI
An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 31.8%.
Technical ContextAI
This vulnerability is classified as OS Command Injection (CWE-78), which allows attackers to execute arbitrary operating system commands on the host. An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script. Affected products include: Dolibarr Dolibarr Erp\/Crm.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Avoid passing user input to shell commands. Use language-specific APIs instead of shell execution. Apply strict input validation with allowlists.
More in Dolibarr Erp Crm
View allDolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instea
Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css.php via the lang parameter. Rated critical severit
Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive
Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier. Rated critical s
SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or pe
Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API. Ra
Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. Rated critical severity (CVSS 9.8), this vulnerability is r
The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mecha
The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attem
Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. Rated critical severity (CVSS 9
File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and
Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1. Rated high severity (CVSS 8.8), this vulnerabilit
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today