Vulnerability Description
In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dolibarr | Dolibarr | >= 3.3.1, <= 13.0.2 |
| Dolibarr | Dolibarr Erp\/Crm | 3.3.0 |
Related Weaknesses (CWE)
References
- https://github.com/Dolibarr/dolibarr/commit/c4cba43bade736ab89e31013a6ccee59a6e0PatchThird Party Advisory
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25956Third Party Advisory
- https://github.com/Dolibarr/dolibarr/commit/c4cba43bade736ab89e31013a6ccee59a6e0PatchThird Party Advisory
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25956Third Party Advisory
FAQ
What is CVE-2021-25956?
CVE-2021-25956 is a vulnerability with a CVSS score of 4.7 (MEDIUM). In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming ...
How severe is CVE-2021-25956?
CVE-2021-25956 has been rated MEDIUM with a CVSS base score of 4.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-25956?
Check the references section above for vendor advisories and patch information. Affected products include: Dolibarr Dolibarr, Dolibarr Dolibarr Erp\/Crm.