CVE-2021-25956
published 2021-08-17CVE-2021-25956: In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate…
PriorityP339high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.94%
56.3th percentile
In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dolibarr | dolibarr | 3.3.1 – 13.0.2 | — |
| dolibarr | dolibarr | >= 3.3.beta1 < 14.0.0 | 14.0.0 |
| dolibarr | dolibarr | >= 3.3.beta1_20121221 < * | * |
| dolibarr | dolibarr_erp_crm | — | — |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Dolibarr vulnerable to Improper Authentication and Improper Access Control
osv·2021-09-02
CVE-2021-25956 [HIGH] Dolibarr vulnerable to Improper Authentication and Improper Access Control
Dolibarr vulnerable to Improper Authentication and Improper Access Control
In `Dolibarr` application, v3.3.beta1_20121221 to v13.0.2 have `Modify` access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user `Login`. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.
GHSA
Dolibarr vulnerable to Improper Authentication and Improper Access Control
ghsa·2021-09-02
CVE-2021-25956 [HIGH] CWE-284 Dolibarr vulnerable to Improper Authentication and Improper Access Control
Dolibarr vulnerable to Improper Authentication and Improper Access Control
In `Dolibarr` application, v3.3.beta1_20121221 to v13.0.2 have `Modify` access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user `Login`. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.
OSV
CVE-2021-25956: In “Dolibarr” application, v3
osv·2021-08-17·CVSS 7.2
CVE-2021-25956 [HIGH] CVE-2021-25956: In “Dolibarr” application, v3
In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/Dolibarr/dolibarr/commit/c4cba43bade736ab89e31013a6ccee59a6e077eehttps://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25956https://github.com/Dolibarr/dolibarr/commit/c4cba43bade736ab89e31013a6ccee59a6e077eehttps://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25956
2021-08-17
Published