Lucene search

[email protected]CVE-2020-13240

HistoryMay 20, 2020 - 3:15 p.m.

CVE-2020-13240

2020-05-2015:15:11

CWE-276

CWE-668

[email protected]

web.nvd.nist.gov

dolibarr

dms

ecm

file extension

security vulnerability

cve-2020-13240

5.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

5.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

24.9%

JSON

The DMS/ECM module in Dolibarr 11.0.4 allows users with the ‘Setup documents directories’ permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.

Affected configurations

NVD

Node

dolibarrdolibarr_erp\/crmMatch11.0.4

CPENameOperatorVersion
dolibarr:dolibarr_erp\/crmdolibarr dolibarr erp/crmeq11.0.4

CPE	Name	Operator	Version
dolibarr:dolibarr_erp\/crm	dolibarr dolibarr erp/crm	eq	11.0.4

References

www.dubget.com/stored-xss-via-file-upload.html

5.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

5.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

24.9%

JSON

Related for CVE-2020-13240

cvelist1 ubuntucve1 osv2 nvd1 github1 prion1