CVE-2019-11201
published 2019-07-29CVE-2019-11201: Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor…
PriorityP343high8CVSS 3.0
AVNACLPRLUIRSUCHIHAH
EPSS
2.24%
80.6th percentile
Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content. Thus, a lower privileged user of the application can execute code under the context and permissions of the underlying web server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dolibarr | dolibarr | >= 0 < 9.0.3 | 9.0.3 |
| dolibarr | dolibarr_erp_crm | — | — |
CVSS provenance
nvdv3.08.0HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
osv8.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Dolibarr ERP and CRM Code Injection
ghsa·2022-05-24
CVE-2019-11201 [HIGH] CWE-94 Dolibarr ERP and CRM Code Injection
Dolibarr ERP and CRM Code Injection
Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content. Thus, a lower privileged user of the application can execute code under the context and permissions of the underlying web server.
OSV
Dolibarr ERP and CRM Code Injection
osv·2022-05-24
CVE-2019-11201 [HIGH] Dolibarr ERP and CRM Code Injection
Dolibarr ERP and CRM Code Injection
Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content. Thus, a lower privileged user of the application can execute code under the context and permissions of the underlying web server.
OSV
CVE-2019-11201: Dolibarr ERP/CRM 9
osv·2019-07-29·CVSS 8.0
CVE-2019-11201 [HIGH] CVE-2019-11201: Dolibarr ERP/CRM 9
Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content. Thus, a lower privileged user of the application can execute code under the context and permissions of the underlying web server.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-07-29
Published