Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to version 23.0.3 is sufficient to fix this issue. The name of the patch is 119b3606c7a701747a57a1f18b1a9e7666f678e2. It is suggested to upgrade the affected component.
AnalysisAI
Insecure Direct Object Reference in Dolibarr ERP CRM 23.0.0-23.0.2 allows any authenticated low-privilege user to read another user's messaging records by manipulating the id parameter in htdocs/user/messaging.php. The commit diff confirms the endpoint performed zero ownership or permission validation before serving messaging data - any valid session could enumerate other users' messages by cycling numeric IDs. No public exploit code has been identified and this CVE does not appear in CISA KEV, but the vulnerability is trivially exploitable given its low complexity and minimal authentication barrier.
Technical ContextAI
CWE-639 (Authorization Bypass Through User-Controlled Key) describes the root cause: the PHP endpoint htdocs/user/messaging.php accepted a caller-supplied id parameter and fetched the corresponding user's messaging records without verifying that the requesting user either owned that id or held the user.user.lire (read other users) permission. The patch (commit 119b3606c7a701747a57a1f18b1a9e7666f678e2) inserts an explicit gate - if (($object->id != $user->id) && !$user->hasRight('user', 'user', 'lire')) { accessforbidden(); } - enforcing ownership or elevated permission before rendering. This is a classic IDOR pattern, confirmed explicitly in the 23.0.3 release notes crediting researcher Aksoum Abderrahmane. Affected CPE is cpe:2.3:a:dolibarr:erp_crm:*:*:*:*:*:*:*:* constrained to versions 23.0.0, 23.0.1, and 23.0.2.
RemediationAI
Upgrade Dolibarr ERP CRM to version 23.0.3, which contains the authorization fix delivered via commit 119b3606c7a701747a57a1f18b1a9e7666f678e2. The patched release is available at https://github.com/Dolibarr/dolibarr/releases/tag/23.0.3 and also addresses several additional security fixes in the same release (SSRF via AI module, legacy filemanager permission bypass, cross-customer API object creation). If an immediate upgrade is not feasible, a compensating control is to restrict access to the /user/messaging.php endpoint at the web server or WAF layer so that only accounts with administrator-level roles can reach it - note this will disable the messaging view for all standard users as a side effect. No configuration-only workaround preserving full feature functionality is available.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33474
GHSA-5pc3-3f4w-j85m