CVE-2020-35136 — Argument Injection in Dolibarr

CWE-88 — Argument Injection CWE-77 — Command Injection5 documents4 sources

Severity

7.2HIGHNVD

EPSS

7.0%

top 8.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dolibarr Dolibarr ERP CRM

Timeline

PublishedDec 23

Latest updateMay 24

Description

Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶Packagistdolibarr/dolibarr< 12.0.4

▶NVDdolibarr/dolibarr_erp_crm12.0.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Dolibarr authenticated Remote Code Execution↗2022-05-24

▶

GHSA

Dolibarr authenticated Remote Code Execution↗2022-05-24

▶

OSV

CVE-2020-35136: Dolibarr 12↗2020-12-23

▶

CVEList

CVE-2020-35136: Dolibarr 12↗2020-12-23

▶