CVE-2023-4197

Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

Published: Nov 1, 2023
Updated: May 9, 2024
CVE: CVE-2023-4197
GHSA: GHSA-r9cm-pw9j-3fpx
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-74
CWE-20

Affected Software
References

Software	From	Fixed in
dolibarr / dolibarr	-	18.0.2
dolibarr / dolibarr_erp/crm	-	18.0.1.x

https://github.com/Dolibarr/dolibarr/commit/0ed6a63fb06be88be5a4f8bcdee83185eee4087e
https://starlabs.sg/advisories/23/23-4197

Vulnerability Database

289,782

CVE-2023-4197