Remote Code Execution (RCE) Affecting dolibarr/dolibarr package, versions <12.0.4


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
4.19% (93rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Remote Code Execution (RCE) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PHP-DOLIBARRDOLIBARR-1053954
  • published23 Dec 2020
  • disclosed23 Dec 2020
  • creditYilmaz Değirmenci

Introduced: 23 Dec 2020

CVE-2020-35136  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade dolibarr/dolibarr to version 12.0.4 or higher.

Overview

dolibarr/dolibarr is a modern and easy to use web software to manage your business.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php.

CVSS Scores

version 3.1