CVE-2022-43138 Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges.

CVE-2022-43138 Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges.

This can be leveraged in a Man-In-The-Middle attack to inject arbitrary requests. Dolibarr Open Source ERP & CRM for Business before v14.0.1 does not limit the number of API requests per second, allowing attackers to perform Denial of Service attacks. Additionally, Dolibarr Open Source ERP & CRM for Business before v14.0.1 does not validate the X-Frame-Options header, which allows attackers to bypass the X-Frame-Options protection setting and render the application in an iframe. This allows attackers to construct a web application that appears to be the official Dolibarr Open Source ERP & CRM for Business website, and trick users into interacting with the attacker's website instead of the real Dolibarr Open Source ERP & CRM for Business website.

Dolibarr Open Source ERP & CRM for Business before v14.0.1 does not properly sanitize user-supplied data before storing it in memory, allowing attackers to execute arbitrary code via a crafted request.

Dolibarr Open Source ERP & CRM for Business before v14.0.1 does not properly limit the number of API requests per second, which allows attackers to perform Denial of Service attacks.

Dolibarr Open Source ERP & CRM for Business before v14.0.1 does not validate the X-Frame-Options header, which allows

Dolibarr Open Source ERP & CRM for Business Software

: 5 Common Security Flaws
Dolibarr Open Source ERP & CRM for Business before v14.0.1 does not limit the number of API requests per second, allowing attackers to perform Denial of Service attacks. Additionally, Dolibarr Open Source ERP & CRM for Business before v14.0.1 does not validate the X-Frame-Options header, which allows attackers to bypass the X-Frame-Options protection setting and render the application in an iframe. This allows attackers to construct a web application that appears to be the official Dolibarr Open Source ERP & CRM for Business website, and trick users into interacting with the attacker's website instead of the real Dolibarr Open Source ERP & CRM for Business website.
Some other flaws found in this software include:
CVE-2022-43138: This can be leveraged in a Man-In-The-Middle attack to inject arbitrary requests.
CVE-2027-85794: This can be leveraged in a Man-In-The-Middle attack to inject arbitrary requests.
CVE-2020-93428: This can be leveraged in a Man In The Middle attack to inject arbitrary requests or hijack sessions by modifying parameters in Application Program Interface (API) responses sent over HTTPS connections, which are typically encrypted with SSL/TLS encryption and Transport Layer Security (TLS).

Version Information

Dolibarr Open Source ERP & CRM for Business before v14.0.1 is vulnerable to Cross-Site Scripting and Information Disclosure due to the presence of a session token in the URL URL, allowing attackers to execute arbitrary JavaScript code in the context of an authenticated user's browser by creating a crafted request.

Dolibarr Open Source ERP & CRM for Business before v14.0.1 does not properly sanitize user-supplied data before storing it in memory, which allows attackers to execute arbitrary code via a crafted request.

Dolibarr Open Source ERP & CRM for Business before v14.0.1 does not properly limit the number of API requests per second, which allows attackers to perform Denial of Service attacks.

Dolibarr Open Source ERP & CRM for Business – Tactical Defence

Dolibarr Open Source ERP & CRM for Business before v14.0.1 can be exploited by attackers to perform a Denial of Service attack, execute arbitrary code, and bypass X-Frame-Options protection. These vulnerabilities could allow an attacker to conduct a Man-In-The-Middle attack, inject arbitrary requests, and cause another denial of service attack.

Dolibarr Open Source ERP & CRM for Business before v14.0.1 does not properly sanitize user-supplied data before storing it in memory, which allows attackers to execute arbitrary code via a crafted request.

Dolibarr Open Source ERP & CRM for Business before v14.0.1 does not properly limit the number of API requests per second, which allows attackers to perform Denial of Service attacks.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe