CVE-2021-3991 — Improper Authorization in Dolibarr

CWE-285 — Improper Authorization CWE-639 — Authorization Bypass Through User-Controlled Key5 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 84.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dolibarr Dolibarr Dolibarr ERP CRM Dolibarr

Timeline

PublishedNov 15

Description

An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶Packagistdolibarr/dolibarr< 15.0.0

▶NVDdolibarr/dolibarr_erp_crm< 20.0.2

▶CVEListV5dolibarr/dolibarr_dolibarrunspecified — develop

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Improper Authorization in dolibarr/dolibarr↗2024-11-15

▶

OSV

CVE-2021-3991: An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch↗2024-11-15

▶

GHSA

Improper Authorization in dolibarr/dolibarr↗2024-11-15

▶

CVEList

Improper Authorization in dolibarr/dolibarr↗2024-11-15

▶