Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tNjZ4LXdtMjcteHhwY84AAkZr
Dolibarr Cross-Site Request Forgery Vulnerability
In Dolibarr 10.0.6, forms are protected with a Cross-Site Request Forgery (CSRF) token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation.
Permalink: https://github.com/advisories/GHSA-m66x-wm27-xxpcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNjZ4LXdtMjcteHhwY84AAkZr
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00112
EPSS Percentile: 0.45518
Identifiers: GHSA-m66x-wm27-xxpc, CVE-2020-11825
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-11825
- https://fatihhcelik.blogspot.com/2020/04/dolibarr-csrf.html
- https://github.com/advisories/GHSA-m66x-wm27-xxpc
Affected Packages
packagist:dolibarr/dolibarr
Dependent packages: 0Dependent repositories: 6
Downloads: 5,025 total
Affected Version Ranges: <= 10.0.6
No known fixed version
All affected versions: 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6