CVE-2019-11201 — HIGH (8.0)

Vulnerability Description

Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content. Thus, a lower privileged user of the application can execute code under the context and permissions of the underlying web server.

CVSS Score

8.0

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Dolibarr	Dolibarr Erp\/Crm	9.0.1

Related Weaknesses (CWE)

CWE-94

References

https://know.bishopfox.com/advisories/dolibarr-version-9-0-1-vulnerabilitiesExploitThird Party Advisory
https://know.bishopfox.com/advisories/dolibarr-version-9-0-1-vulnerabilitiesExploitThird Party Advisory

FAQ

What is CVE-2019-11201?

CVE-2019-11201 is a vulnerability with a CVSS score of 8.0 (HIGH). Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, wh...

How severe is CVE-2019-11201?

CVE-2019-11201 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-11201?

Check the references section above for vendor advisories and patch information. Affected products include: Dolibarr Dolibarr Erp\/Crm.