CVE-2023-30253
published 2023-05-29CVE-2023-30253: Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.
PriorityP180high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
79.33%
99.6th percentile
Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dolibarr | dolibarr | >= 0 < 17.0.1 | 17.0.1 |
| dolibarr | dolibarr_erp_crm | < 17.0.1 | 17.0.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect PHP code injection bypass via uppercase <?PHP tag in Dolibarr Website module page content — the filter only blocks lowercase <?php ↗
- →Alert on HTTP requests to Dolibarr's Website module that contain the string '<?PHP' (uppercase) in POST body, which is the bypass payload for the PHP injection filter ↗
- →Monitor for reverse shell connections spawned from the Dolibarr web process (www-data) after page rendering, indicative of successful exploitation ↗
- →Exploitation requires authenticated access to the Dolibarr Website module; monitor for logins followed by Website module page creation/editing activity on Dolibarr versions before 17.0.1 ↗
- ·Exploitation requires authenticated access — the vulnerability is not exploitable without valid credentials that have access to the Dolibarr Website module ↗
- ·Only Dolibarr versions strictly before 17.0.1 are vulnerable; the fix was introduced in 17.0.1 ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-30253: Dolibarr before 17
osv·2023-05-29·CVSS 8.8
CVE-2023-30253 [HIGH] CVE-2023-30253: Dolibarr before 17
Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.
GHSA
Dolibarr vulnerable to remote code execution via uppercase manipulation
ghsa·2023-05-29
CVE-2023-30253 [HIGH] CWE-78 Dolibarr vulnerable to remote code execution via uppercase manipulation
Dolibarr vulnerable to remote code execution via uppercase manipulation
Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.
OSV
Dolibarr vulnerable to remote code execution via uppercase manipulation
osv·2023-05-29
CVE-2023-30253 [HIGH] Dolibarr vulnerable to remote code execution via uppercase manipulation
Dolibarr vulnerable to remote code execution via uppercase manipulation
Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.
No detection rules found.
CTF
README
ctf_writeups
README
# Hack The Box (HTB) Write-ups Repository
Welcome to my **Hack The Box (HTB) write-ups repository**, a comprehensive collection of **hands-on cybersecurity walkthroughs**. This repository covers **HTB Academy labs, challenges, and machines**, including detailed step-by-step guides, screenshots, and relevant resources to help beginners and professionals sharpen their penetration testing and ethical hacking skills.
---
## 📂 Repository Structure
| Category | Subcategory | Description |
|:---|:---|:---|
| **Academy Labs** | 00. Intro to Academy | Beginner guides with images, fundamentals of Linux, Windows, Networking, Web apps, Bash scripting, and JavaScript deobfuscation |
| | 01. Pre-Engagement | Learning process, Penetration testing workflow, setup guides, Linux & Windows fundamental
CTF
BoardLight / README
ctf_writeups·CVSS 7.8
CVE-2023-30253 [HIGH] BoardLight / README
# BoardLight - HackTheBox - Writeup
Linux, 20 Base Points, Easy
## Machine
## TL;DR
To solve this machine, we start by using `nmap` to enumerate open services and find ports `22`, and `80`.
***User***: Discovered the virtual host `crm.board.htb` running `Dolibarr 17.0.0`, which is vulnerable to `CVE-2023-30253`. Exploit this CVE to obtain a reverse shell as `www-data`. Reuse the database password from `conf.php` for SSH login as `larissa`.
***Root***: Identified an SUID file at `lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys`. Use `CVE-2022-37706` to achieve Local Privilege Escalation.
## BoardLight Solution
### User
Let's begin by using `nmap` to scan the target machine:
```console
┌─[evyatar9@parrot]─[/hackthebox/BoardLight]
└──╼ $ nmap -sV -sC -oA nmap/BoardLigh
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
CTF
ippsec-video-index
ctf_writeups·CVSS 8.6
[HIGH] ippsec-video-index
# IppSec HTB Video Index - Complete Reference
> The most comprehensive index of IppSec's HackTheBox video walkthroughs.
> Data sourced from [ippsec.rocks](https://ippsec.rocks) dataset, GitHub, and community resources.
> Last updated: 2026-04-10
## Stats
| Category | Count |
|----------|-------|
| HTB Machine Walkthroughs | 432 |
| UHC (Ultimate Hacking Championship) | 12 |
| HTB Sherlocks (DFIR) | 7 |
| VulnHub Machines | 4 |
| Tutorials / Methodology / Special | 61 |
| HTB Academy Modules | 17 |
| **Total Unique Content** | **533** |
| Total Searchable Entries (timestamps) | 9,245 |
## Key Resources
| Resource | URL |
|----------|-----|
| YouTube Channel | [youtube.com/ippsec](https://youtube.com/ippsec) |
| Searchable Video Index | [ippsec.rocks](https://ippsec.rocks) |
| GitHub |
Rapid7
Metasploit Wrap-Up 05/15/2026
blogs_rapid7·2026-05-15·CVSS 8.8
CVE-2025-6793 [HIGH] Metasploit Wrap-Up 05/15/2026
## Weaponizing a text editor for fun and profit
Gather round, dear readers, because today, we (by we, we mean @h00die) dropped the ultimate persistence mechanism: Vim plugin persistence. And honestly, calling it "persistence" feels redundant — Vim is already the most persistent thing ever. Somewhere, somehow, there will still be a Vim session open since 2011, because no one has figured out how to close it. So we are not so much establishing a foothold here as we are joining an existing hostage situation.
Elsewhere this week, Marvell's QConvergeConsole has been caught handing arbitrary files to unauthenticated visitors, as is tradition (CVE-2025-6793), GestioIP 3.5.7 ships an upload handler, so trusting it will cheerfully let an admin overwrite the handler with a backdoor and then dutiful
2023-05-29
Published