CVE-2023-4197

2023-11-0108:15:07

CWE-20

CWE-74

[email protected]

web.nvd.nist.gov

cve-2023-4197

dolibarr erp crm

input validation

php code

security vulnerability

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.001

Percentile

29.7%

JSON

Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

Affected configurations

NVD

Node

dolibarrdolibarr_erp\/crmRange≤18.0.1

VendorProductVersionCPE
dolibarrdolibarr_erp/crmcpe:/a:dolibarr:dolibarr_erp/crm::::

Vendor	Product	Version	CPE
dolibarr	dolibarr_erp/crm		cpe:/a:dolibarr:dolibarr_erp/crm::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "Website"
    ],
    "product": "Dolibarr ERP CRM",
    "repo": "https://github.com/Dolibarr/dolibarr",
    "vendor": "Dolibarr",
    "versions": [
      {
        "lessThanOrEqual": "18.0.1",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]