Back to CVE Browser

CVE-2021-33816

CRITICAL

9.8

CVSS Severity Score

EPSS Score0.1190%

EPSS Percentile2.72th

PublishedNov 10, 2021

Last ModifiedNov 21, 2024

Vulnerability Description

The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.

Affected Platforms (CPE)

📦

Dolibarr

Dolibarr Erp\/crm

= 13.0.2

References & Advisories

🔗 http://seclists.org/fulldisclosure/2021/Nov/39

🔗 https://trovent.github.io/security-advisories/TRSA-2106-01/TRSA-2106-01.txt

🔗 https://trovent.io/security-advisory-2106-01

🔗 http://seclists.org/fulldisclosure/2021/Nov/39

🔗 https://trovent.github.io/security-advisories/TRSA-2106-01/TRSA-2106-01.txt

🔗 https://trovent.io/security-advisory-2106-01

Related Vulnerabilities

CVE-2018-253579.8

Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary c...

CVE-2021-259559.0

In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privile...

CVE-2019-257108.2

Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows a...

CVE-2021-336186.1

Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of...