← Retour aux CVEs

CVE-2020-14209

HIGH

8.8

Description

Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism).

Details CVE

Score CVSS v3.18.8

SeveriteHIGH

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisLOW

Interaction utilisateurNONE

Publie9/2/2020

Derniere modification11/21/2024

Sourcenvd

Observations honeypot0

Produits affectes

dolibarr:dolibarr

Faiblesses (CWE)

CWE-434

References

http://packetstormsecurity.com/files/161955/Dolibarr-ERP-CRM-11.0.4-Bypass-Code-Execution.html(cve@mitre.org)

https://github.com/Dolibarr/dolibarr/releases/tag/11.0.5(cve@mitre.org)

https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-012(cve@mitre.org)

http://packetstormsecurity.com/files/161955/Dolibarr-ERP-CRM-11.0.4-Bypass-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/Dolibarr/dolibarr/releases/tag/11.0.5(af854a3a-2127-422b-91ae-364da2661108)

https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-012(af854a3a-2127-422b-91ae-364da2661108)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.