CVE-2019-15062 — Cross-Site Request Forgery in Dolibarr

CWE-352 — Cross-Site Request Forgery5 documents4 sources

Severity

8.0HIGHNVD

EPSS

0.1%

top 68.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dolibarr Dolibarr ERP CRM

Timeline

PublishedAug 14

Latest updateMay 24

Description

An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 2.1 | Impact: 5.9

Affected Packages2 packages

▶Packagistdolibarr/dolibarr10.0 — 10.0.2

▶NVDdolibarr/dolibarr_erp_crm11.0.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Dolibarr Cross-Site Request Forgery (CSRF)↗2022-05-24

▶

GHSA

Dolibarr Cross-Site Request Forgery (CSRF)↗2022-05-24

▶

OSV

CVE-2019-15062: An issue was discovered in Dolibarr 11↗2019-08-14

▶

CVEList

CVE-2019-15062: An issue was discovered in Dolibarr 11↗2019-08-14

▶