Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php
Vulnerability Description
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…). At time of publication, there are no publicly available patches.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
PHP程序中Include/Require语句包含文件控制不恰当(PHP远程文件包含)
Vulnerability Title
Dolibarr 安全漏洞
Vulnerability Description
Dolibarr是Dolibarr开源的一个应用软件。可帮助管理用户组织的活动。 Dolibarr 22.0.4及之前版本存在安全漏洞,该漏洞源于核心AJAX端点/核心/ajax/selectobject.php存在本地文件包含漏洞,可能导致经过身份验证的用户读取任意非PHP文件内容。
CVSS Information
N/A
Vulnerability Type
N/A