CVE-2019-11201: Code Injection
First published: Mon Jul 29 2019(Updated: )
Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content. Thus, a lower privileged user of the application can execute code under the context and permissions of the underlying web server.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Dolibarr Dolibarr Erp\/crm | =9.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-11201
- https://know.bishopfox.com/advisories/dolibarr-version-9-0-1-vulnerabilities
- https://github.com/Dolibarr/dolibarr/issues/10984#issuecomment-485841141
- https://github.com/Dolibarr/dolibarr/commit/63c0ab93fb21f86c1b736061af9fa1eee90148fd
- https://github.com/advisories/GHSA-jwg3-v9xm-v6q9 (Advisory)
- collector/github-advisory-latest
- alias/GHSA-jwg3-v9xm-v6q9
- alias/CVE-2019-11201
- collector/github-advisory
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/references
- agent/weakness
- agent/description
- agent/tags
- agent/first-publish-date
- agent/event
- agent/trending
- package-manager/composer
- vendor/dolibarr
- canonical/dolibarr dolibarr erp\/crm
- version/dolibarr dolibarr erp\/crm/9.0.1