Eval Injection Vulnerability in Dolibarr ERP & CRM by Dolibarr Association
CVE-2022-40871

9.8CRITICAL

Key Information:

Vendor: Dolibarr
Status: Dolibarr Erp\/crm
Vendor: CVE Published:; 12 October 2022

What is CVE-2022-40871?

Dolibarr ERP & CRM versions up to 15.0.3 exhibit a vulnerability that allows unauthorized users to inject and execute arbitrary code through eval functions. By exploiting this flaw, a malicious actor with administrator access can add themselves via the installation interface, thereafter inserting malicious scripts into the database. This could lead to a severe compromise of the application and its data integrity.

References

https://github.com/youncyb/dolibarr-rce

EPSS Score

78% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 12, 2022
Vulnerability Reserved
Sep 19, 2022