PHP Remote File Inclusion Affecting dolibarr/dolibarr package, versions >=0.0.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-DOLIBARRDOLIBARR-11023260
- published27 Jul 2025
- disclosed21 Jul 2025
- creditwh0amitz
Introduced: 21 Jul 2025
New CVE NOT AVAILABLE CWE-98 (opens in a new tab)How to fix?
There is no fixed version for dolibarr/dolibarr.
Overview
dolibarr/dolibarr is a modern and easy to use web software to manage your business.
Affected versions of this package are vulnerable to PHP Remote File Inclusion in the perms process of menu creation and editing, where user-supplied input is evaluated without sufficient filtering of dangerous PHP functions. An attacker can execute arbitrary code and access sensitive files by submitting crafted PHP code as menu permissions, which is then executed on the server. This can be exploited through local or remote file inclusion, and may be further leveraged by uploading a file without a suffix and including it via the menu permissions. This is only exploitable if the attacker has authenticated access to the backend menu management functionality and, for remote file inclusion, if the allow_url_include option is enabled in the PHP configuration.