Description: Remote Code Execution(RCE) in Dolibarr
Versions Affected: <= 20.0.4
Date: December 22, 2024
Researcher: Muhammad Zeeshan (Xib3rR4dAr)
Product Link: https://www.dolibarr.org
Dolibarr ERP was discovered to contain a remote code execution (RCE) vulnerability.
The "Computed field" text box used in "Users Module Setup" functionality for Dolibarr is not properly sanitized, thus allowing an authenticated user to execute arbitrary commands.
Payload: strrev('cexe') ('whoami') (note the space)
Update to version v21.0.0
https://github.com/Dolibarr/dolibarr/commit/fcc344f9da6b4d99c408833cd02f0b2d3ae87db4 https://github.com/Dolibarr/dolibarr/releases/tag/21.0.0 https://gist.github.com/Xib3rR4dAr/920c631dcc08c372cf2f28264b7813c2
- Vulnerability discovery in v20.0.1: December 22, 2024
- Vulnerability reported to Dolibarr: December 23, 2024
- Vulnerability confirmed by Dolibarr: December 24, 2024
- Initial Fix: Dec 26, 2024
- Version 21.0.0 released fixing the vulnerability: December 26, 2024