cbcvebase.
CVE-2021-25956
published 2021-08-17

CVE-2021-25956: In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate…

PriorityP339high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.94%
56.3th percentile
In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.

Affected

4 ranges
VendorProductVersion rangeFixed in
dolibarrdolibarr3.3.1 – 13.0.2
dolibarrdolibarr>= 3.3.beta1 < 14.0.014.0.0
dolibarrdolibarr>= 3.3.beta1_20121221 < **
dolibarrdolibarr_erp_crm

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv7.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.