CVE-2022-40871
published 2022-10-12CVE-2022-40871: Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
33.37%
98.2th percentile
Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dolibarr | dolibarr | 0 – 15.0.3 | — |
| dolibarr | dolibarr_erp_crm | <= 15.0.3 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Dolibarr vulnerable to Eval Injection
osv·2022-10-12
CVE-2022-40871 [CRITICAL] Dolibarr vulnerable to Eval Injection
Dolibarr vulnerable to Eval Injection
Dolibarr ERP & CRM <=15.0.3 are vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.
GHSA
Dolibarr vulnerable to Eval Injection
ghsa·2022-10-12
CVE-2022-40871 [CRITICAL] CWE-94 Dolibarr vulnerable to Eval Injection
Dolibarr vulnerable to Eval Injection
Dolibarr ERP & CRM <=15.0.3 are vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.
OSV
CVE-2022-40871: Dolibarr ERP & CRM <=15
osv·2022-10-12·CVSS 9.8
CVE-2022-40871 [CRITICAL] CVE-2022-40871: Dolibarr ERP & CRM <=15
Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-10-12
Published