vendor:
Dolibarr ERP CRM
by:
om3rcitak
7.5
CVSS
HIGH
Unauthenticated Remote Code Execution
CWE
Product Name: Dolibarr ERP CRM
Affected Version From: Version 7.0.3 and below
Affected Version To:
Patch Exists: YES
Related CWE:
CPE:
Platforms Tested: Unix, Windows
2018
Unauthenticated Remote Code Evaluation in Dolibarr ERP CRM =<7.0.3
This exploit allows an attacker to execute arbitrary code remotely without authentication in Dolibarr ERP CRM version 7.0.3 or below. By manipulating the 'db_name' parameter in the 'step1.php' page during the installation process, an attacker can inject malicious code and gain unauthorized access to the system.
Mitigation:
Upgrade to a patched version (7.0.4 or above) of Dolibarr ERP CRM to mitigate this vulnerability. Additionally, restrict access to the installation page to trusted users only.