Remote Code Execution Vulnerability in Dolibarr by Doliware
CVE-2020-35136

7.2HIGH

Key Information:

Vendor

Dolibarr

Status
Dolibarr Erp\/crm
Vendor
CVE Published:
23 December 2020

What is CVE-2020-35136?

Dolibarr version 12.0.3 is susceptible to an authenticated Remote Code Execution vulnerability. Specifically, if an attacker gains access to the admin dashboard, they can exploit the backup function by injecting a malicious payload into the 'zipfilename_template' parameter via the 'admin/tools/dolibarr_export.php' script. This flaw enables the execution of arbitrary code, posing a significant risk to the compromised system.

References

https://github.com/Dolibarr/dolibarr/releases
x_refsource_MISC
https://sourceforge.net/projects/dolibarr/
x_refsource_MISC
http://bilishim.com/2020/12/18/zero-hunting-2.html
x_refsource_MISC

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.