CVE-2020-13240 — Incorrect Default Permissions in ERP CRM

CWE-276 — Incorrect Default Permissions CWE-668 — Resource Exposure CWE-79 — Cross-site Scripting5 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 61.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dolibarr ERP CRM

Timeline

PublishedMay 20

Latest updateMay 24

Description

The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages1 packages

▶NVDdolibarr/dolibarr_erp_crm11.0.4

🔴Vulnerability Details

GHSA

Dolibarr Stored Cross-site Scripting↗2022-05-24

▶

OSV

Dolibarr Stored Cross-site Scripting↗2022-05-24

▶

CVEList

CVE-2020-13240: The DMS/ECM module in Dolibarr 11↗2020-05-20

▶

OSV

CVE-2020-13240: The DMS/ECM module in Dolibarr 11↗2020-05-20

▶