OS Command Injection Vulnerability in Dolibarr ERP/CRM by Dolibarr
CVE-2012-10059

9.4CRITICAL

Key Information:

Vendor

Dolibarr Project

Status
Erp/crm
Vendor
CVE Published:
13 August 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2012-10059?

Dolibarr ERP/CRM versions up to 3.1.1 and 3.2.0 have a post-authenticated OS command injection vulnerability that impacts the database backup feature. The flaw exists within the export.php script due to inadequate sanitization of the sql_compat parameter. This oversight allows authenticated users to inject arbitrary commands, potentially leading to remote code execution on the server. This vulnerability poses a significant risk to system integrity and data security for organizations utilizing affected versions.

Affected Version(s)

ERP/CRM * <= 3.1.1

ERP/CRM * <= 3.2.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2012-10059 - Proof of Concept

CVE-2012-10059 - Proof of Concept

CVE-2012-10059 - Proof of Concept

References

https://raw.githubusercontent.com/rapid7/metasploit-frame...
exploit
https://www.exploit-db.com/exploits/18725
exploit
https://www.exploit-db.com/exploits/18724
exploit

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nahuel Grisolia
.
CVE-2012-10059 : OS Command Injection Vulnerability in Dolibarr ERP/CRM by Dolibarr