GHSA-vxr9-p2xw-m8cf

Suggest an improvement
Source
https://github.com/advisories/GHSA-vxr9-p2xw-m8cf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vxr9-p2xw-m8cf/GHSA-vxr9-p2xw-m8cf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vxr9-p2xw-m8cf
Aliases
Published
2022-05-24T19:20:28Z
Modified
2024-04-24T18:57:22.598483Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Dolibarr remote PHP code execution
Details

The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.

Database specific
{
    "nvd_published_at": "2021-11-10T23:15:00Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-24T18:39:36Z"
}
References

Affected packages

Packagist / dolibarr/dolibarr

Package

Name
dolibarr/dolibarr
Purl
pkg:composer/dolibarr/dolibarr

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13.0.2
Fixed
14.0.0

Affected versions

13.*

13.0.2
13.0.3
13.0.4
13.0.5