Vulnerability Description
Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dolibarr | Dolibarr Erp\/Crm | 12.0.3 |
Related Weaknesses (CWE)
References
- http://bilishim.com/2020/12/18/zero-hunting-2.htmlExploitThird Party Advisory
- https://github.com/Dolibarr/dolibarr/commit/4fcd3fe49332baab0e424225ad10b76b47ebPatchThird Party Advisory
- https://github.com/Dolibarr/dolibarr/releasesThird Party Advisory
- https://sourceforge.net/projects/dolibarr/ProductThird Party Advisory
- http://bilishim.com/2020/12/18/zero-hunting-2.htmlExploitThird Party Advisory
- https://github.com/Dolibarr/dolibarr/commit/4fcd3fe49332baab0e424225ad10b76b47ebPatchThird Party Advisory
- https://github.com/Dolibarr/dolibarr/releasesThird Party Advisory
- https://sourceforge.net/projects/dolibarr/ProductThird Party Advisory
FAQ
What is CVE-2020-35136?
CVE-2020-35136 is a vulnerability with a CVSS score of 7.2 (HIGH). Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for...
How severe is CVE-2020-35136?
CVE-2020-35136 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-35136?
Check the references section above for vendor advisories and patch information. Affected products include: Dolibarr Dolibarr Erp\/Crm.