CVE-2021-33816 — Code Injection in Dolibarr

CWE-94 — Code Injection5 documents4 sources

Severity

9.8CRITICALNVD

EPSS

2.6%

top 14.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dolibarr Dolibarr ERP CRM

Timeline

PublishedNov 10

Latest updateMay 24

Description

The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶Packagistdolibarr/dolibarr13.0.2 — 14.0.0

▶NVDdolibarr/dolibarr_erp_crm13.0.2

🔴Vulnerability Details

GHSA

Dolibarr remote PHP code execution↗2022-05-24

▶

OSV

Dolibarr remote PHP code execution↗2022-05-24

▶

CVEList

CVE-2021-33816: The website builder module in Dolibarr 13↗2021-11-10

▶

OSV

CVE-2021-33816: The website builder module in Dolibarr 13↗2021-11-10

▶