CVE-2019-15062

An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)

Published: Aug 15, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-15062
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6
AV:N/AC:M/Au:S/C:P/I:P/A:P

CWEs:

CWE-352

Affected Software
References

Software	From	Fixed in
dolibarr / dolibarr_erp/crm	11.0.0-alpha	11.0.0-alpha.x

https://gauravnarwani.com/publications/CVE-2019-15062/
https://github.com/Dolibarr/dolibarr/issues/11671

Vulnerability Database

290,206

CVE-2019-15062