16.0.2

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

dolibarr

CWE-552

NVD

Published: 2023-06-13

Updated: 2023-06-23

Summary

An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.

Vulnerable Configurations

Part	Description	Count
Application	Dolibarr Dolibarr Dolibarr Erp/Crm 16.0.0 Dolibarr Dolibarr Erp/Crm 16.0.1 Dolibarr Dolibarr Erp/Crm 16.0.2	3

Common Weakness Enumeration (CWE)

CWE-552 - Files or Directories Accessible to External Parties

References

https://www.dsecbypass.com/en/dolibarr-pre-auth-contact-database-dump/
https://www.dolibarr.org/forum/t/dolibarr-16-0-security-breach/23471
https://github.com/Dolibarr/dolibarr/commit/bb7b69ef43673ed403436eac05e0bc31d5033ff7
https://www.dolibarr.org/forum/t/dolibarr-16-0-security-breach/23471/1
https://github.com/Dolibarr/dolibarr/commit/be82f51f68d738cce205f4ce5b469ef42ed82d9e