Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ycndoLTI2MnItcjg1as4AAhdz
Dolibarr ERP and CRM malicious executable loading
Dolibarr ERP/CRM 9.0.1 provides a web-based functionality that backs up the database content to a dump file. However, the application performs insufficient checks on the export parameters to mysqldump, which can lead to execution of arbitrary binaries on the server. (Malicious binaries can be uploaded by abusing other functionalities of the application.)
Permalink: https://github.com/advisories/GHSA-2rwh-262r-r85jJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycndoLTI2MnItcjg1as4AAhdz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 8 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-2rwh-262r-r85j, CVE-2019-11200
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-11200
- https://know.bishopfox.com/advisories/dolibarr-version-9-0-1-vulnerabilities
- https://github.com/Dolibarr/dolibarr/issues/10984#issuecomment-488297419
- https://github.com/Dolibarr/dolibarr/commit/d6ae62478c8841fdfe58971494818b599f396d4f
- https://github.com/Dolibarr/dolibarr/commit/01075081cbcd9130a72115cdb50ee61fc394edc1
- https://github.com/advisories/GHSA-2rwh-262r-r85j
Blast Radius: 6.8
Affected Packages
packagist:dolibarr/dolibarr
Dependent packages: 0Dependent repositories: 6
Downloads: 4,987 total
Affected Version Ranges: < 9.0.3
Fixed in: 9.0.3
All affected versions: 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 9.0.0, 9.0.1, 9.0.2
All unaffected versions: 9.0.3, 9.0.4, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.5, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.0.4, 13.0.5, 14.0.0, 14.0.1, 14.0.2, 14.0.3, 14.0.4, 14.0.5, 15.0.0, 15.0.1, 15.0.2, 15.0.3