cbcvebase.
CVE-2023-30253
published 2023-05-29

CVE-2023-30253: Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.

PriorityP180high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
79.33%
99.6th percentile
Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.

Affected

2 ranges
VendorProductVersion rangeFixed in
dolibarrdolibarr>= 0 < 17.0.117.0.1
dolibarrdolibarr_erp_crm< 17.0.117.0.1

Detection & IOCsextracted from sources · hover to see the quote

pathunix/http/dolibarr_cms_rce_cve_2023_30253
  • Detect PHP code injection bypass via uppercase <?PHP tag in Dolibarr Website module page content — the filter only blocks lowercase <?php
  • Alert on HTTP requests to Dolibarr's Website module that contain the string '<?PHP' (uppercase) in POST body, which is the bypass payload for the PHP injection filter
  • Monitor for reverse shell connections spawned from the Dolibarr web process (www-data) after page rendering, indicative of successful exploitation
  • Exploitation requires authenticated access to the Dolibarr Website module; monitor for logins followed by Website module page creation/editing activity on Dolibarr versions before 17.0.1
  • ·Exploitation requires authenticated access — the vulnerability is not exploitable without valid credentials that have access to the Dolibarr Website module
  • ·Only Dolibarr versions strictly before 17.0.1 are vulnerable; the fix was introduced in 17.0.1

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.