CVE Vulnerability

CVE-2019-11201

Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content. Thus, a lower privileged user of the application can execute code under the context and permissions of the underlying web server.

8.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Scope

8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://know.bishopfox.com/advisories/dolibarr-version-9-0-1-vulnerabilities Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:dolibarr:dolibarr_erp/crm:9.0.1:*:*:*:*:*:*:*
Information

Published : 2019-07-29 04:15

Updated : 2019-08-05 06:00

NVD link : CVE-2019-11201

Mitre link : CVE-2019-11201

Products Affected
No products.
CWE
CWE-94