What is the vulnerability ID for this Dolibarr application vulnerability?

The vulnerability ID for this Dolibarr application vulnerability is CVE-2021-25956.

What is the severity level of CVE-2021-25956?

The severity level of CVE-2021-25956 is high with a base score of 7.2.

What is the affected software version range for this vulnerability?

This vulnerability affects Dolibarr application versions from v3.3.beta1_20121221 to v13.0.2, as well as Dolibarr Erp/crm versions 3.3.0-beta1 and 3.3.0-beta2.

How can an admin level user exploit this vulnerability?

An admin level user can exploit this vulnerability by modifying another user's details and failing to validate the already existing login name, leading to a complete account takeover of the victim user.

Is there any fix available for CVE-2021-25956?

Yes, a fix for CVE-2021-25956 is available in the Dolibarr application. It is recommended to update to the latest version (v13.0.3 or above) to mitigate this vulnerability.

Vulnerability/
CVE-2021-25956

high

7.2

CWE

284

11/8/2021

3/8/2024

CVE-2021-25956: Improper User Access Control in "Dolibarr" Leads to Account Takeover

First published: Wed Aug 11 2021(Updated: )

In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.

Credit: vulnerabilitylab@mend.io

Affected Software	Affected Version	How to fix
Dolibarr	>=3.3.1<=13.0.2
Dolibarr ERP & CRM	=3.3.0-beta1
Dolibarr ERP & CRM	=3.3.0-beta2

Remedy

https://github.com/Dolibarr/dolibarr/commit/c4cba43bade736ab89e31013a6ccee59a6e077ee

Remedy

Update to 14.0.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID for this Dolibarr application vulnerability?
The vulnerability ID for this Dolibarr application vulnerability is CVE-2021-25956.
What is the severity level of CVE-2021-25956?
The severity level of CVE-2021-25956 is high with a base score of 7.2.
What is the affected software version range for this vulnerability?
This vulnerability affects Dolibarr application versions from v3.3.beta1_20121221 to v13.0.2, as well as Dolibarr Erp/crm versions 3.3.0-beta1 and 3.3.0-beta2.
How can an admin level user exploit this vulnerability?
An admin level user can exploit this vulnerability by modifying another user's details and failing to validate the already existing login name, leading to a complete account takeover of the victim user.
Is there any fix available for CVE-2021-25956?
Yes, a fix for CVE-2021-25956 is available in the Dolibarr application. It is recommended to update to the latest version (v13.0.3 or above) to mitigate this vulnerability.

agent/references
agent/type
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/title
agent/remedy
agent/weakness
agent/severity
agent/author
agent/event
agent/description
agent/first-publish-date
agent/source
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/dolibarr
canonical/dolibarr
version/dolibarr/3.3.1
version/dolibarr/13.0.2
canonical/dolibarr erp & crm
version/dolibarr erp & crm/3.3.0-beta1
version/dolibarr erp & crm/3.3.0-beta2

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.