Arbitrary File Upload Affecting dolibarr/dolibarr package, versions <11.0.5


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Mature
EPSS
0.92% (84th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-DOLIBARRDOLIBARR-609519
  • published3 Sept 2020
  • disclosed3 Sept 2020
  • creditAndrea Gonzalez

Introduced: 3 Sep 2020

CVE-2020-14209  (opens in a new tab)
CWE-285  (opens in a new tab)

How to fix?

Upgrade dolibarr/dolibarr to version 11.0.5 or higher.

Overview

dolibarr/dolibarr is a modern and easy to use web software to manage your business.

Affected versions of this package are vulnerable to Arbitrary File Upload. It is possible for low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism).

CVSS Scores

version 3.1