Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tNjZ4LXdtMjcteHhwY84AAkZr

Dolibarr Cross-Site Request Forgery Vulnerability

In Dolibarr 10.0.6, forms are protected with a Cross-Site Request Forgery (CSRF) token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation.

Permalink: https://github.com/advisories/GHSA-m66x-wm27-xxpc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNjZ4LXdtMjcteHhwY84AAkZr
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago


CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00112
EPSS Percentile: 0.45518

Identifiers: GHSA-m66x-wm27-xxpc, CVE-2020-11825
References: Blast Radius: 6.8

Affected Packages

packagist:dolibarr/dolibarr
Dependent packages: 0
Dependent repositories: 6
Downloads: 5,025 total
Affected Version Ranges: <= 10.0.6
No known fixed version
All affected versions: 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6