CVE-2023-4197 | THREATINT

Description

Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

PUBLISHED Reserved 2023-08-07 | Published 2023-11-01 | Updated 2024-09-05 | Assigner STAR_Labs

HIGH: 7.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-20 Improper Input Validation

Product status

Default status

unaffected

Any version

affected

Credits

Poh Jia Hao (@Chocologicall) of STAR Labs SG Pte. Ltd. (@starlabs_sg) finder

References

starlabs.sg/advisories/23/23-4197 third-party-advisory

github.com/...ommit/0ed6a63fb06be88be5a4f8bcdee83185eee4087e patch

cve.org (CVE-2023-4197)

nvd.nist.gov (CVE-2023-4197)

Download JSON