Vulnerability Description
In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at “/adherents/note.php?id=1” endpoint.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dolibarr | Dolibarr | >= 2.8.1, <= 13.0.4 |
Related Weaknesses (CWE)
References
- https://github.com/Dolibarr/dolibarr/commit/8cc100012d46282799fb19f735a53b710156PatchThird Party Advisory
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25954Third Party Advisory
- https://github.com/Dolibarr/dolibarr/commit/8cc100012d46282799fb19f735a53b710156PatchThird Party Advisory
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25954Third Party Advisory
FAQ
What is CVE-2021-25954?
CVE-2021-25954 is a vulnerability with a CVSS score of 4.3 (MEDIUM). In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an ...
How severe is CVE-2021-25954?
CVE-2021-25954 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-25954?
Check the references section above for vendor advisories and patch information. Affected products include: Dolibarr Dolibarr.