CVE-2023-4197 — Improper Input Validation in Dolibarr

CWE-20 — Improper Input Validation CWE-74 — Injection5 documents4 sources

Severity

8.8HIGHNVD

CNA7.5

EPSS

51.1%

top 2.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dolibarr Dolibarr ERP CRM

Timeline

PublishedNov 1

Description

Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Packagistdolibarr/dolibarr< 18.0.2

▶CVEListV5dolibarr/dolibarr_erp_crm18.0.1

▶NVDdolibarr/dolibarr_erp_crm18.0.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2023-4197: Improper input validation in Dolibarr ERP CRM <= v18↗2023-11-01

▶

OSV

Dolibarr Improper Input Validation vulnerability↗2023-11-01

▶

GHSA

Dolibarr Improper Input Validation vulnerability↗2023-11-01

▶

CVEList

Dolibarr ERP CRM (<= 18.0.1) Improper Input Sanitization Authenticated RCE↗2023-11-01

▶