# Dolibarr 23.0.2 Security Update Summary ## Vulnerability Overview This release (23.0.2) includes multiple security fixes and permission improvements, primarily addressing the following critical vulnerabilities: 1. **SSRF (Server-Side Request Forgery)**: * **ID**: `#GHSA-hh5p-m24x-fwx2` * **Description**: Fixes an SSRF vulnerability potentially present in the Webhook functionality, preventing malicious requests. 2. **File Handling/Upload Vulnerability**: * **ID**: `#GHSA-ph29-326p-chw4` * **Description**: Disables and sanitizes deprecated `load/save` file functions to prevent potential file operation risks. 3. **Security Audit Fix**: * **ID**: `#GHSA-v5fq-cf5m-vwv7` * **Description**: Security audit fix from Sec4check (Credit: Grzegorz Tworek, Sec4check), specifically addressing internal logic or permission corrections. 4. **Docker Deployment Security**: * **ID**: `#37656` * **Description**: Fixes multiple issues within demo Docker packages, providing a more secure deployment method. 5. **API Permission/Authentication Issues**: * **ID**: `#37530` * **Description**: Fixes an issue where the API returns a 401 error when fetching a Warehouse by ID, involving permission validation logic. 6. **Accounting Module Permissions**: * **ID**: `#37551` * **Description**: Improves permission controls when creating and exporting accounting entries (Use better rights on create / export entry). ## Affected Scope The affected systems are all users of **Dolibarr ERP/CRM**, particularly in scenarios involving: * Configuring and using Webhook functionality. * Operations involving file loading or saving. * Deploying Dolibarr environments via Docker. * Calling Dolibarr API endpoints. * Creating or exporting entries using the Accountancy module. ## Remediation * **Upgrade Version**: Upgrade the Dolibarr system to version **23.0.2**. * **Recommendations**: After upgrading, it is recommended to review Webhook configurations, API call permissions, and Docker deployment settings to ensure compliance with new security standards. *(Note: This page does not contain specific POC code or exploit code; it only provides fix descriptions.)*