CVE-2019-15062

HIGH

Dolibarr 11.0.0-alpha - Cross-Site Request Forgery via Linked Files Settings Page

Title source: llm
STIX 2.1

Description

An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)

References (2)

Core 2
Core References
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/Dolibarr/dolibarr/issues/11671
Exploit, Third Party Advisory x_refsource_misc
https://gauravnarwani.com/publications/CVE-2019-15062/

Scores

CVSS v3 8.0
EPSS 0.0062
EPSS Percentile 45.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (2)
dolibarr/dolibarr 10.0 - 10.0.2Packagist
dolibarr/dolibarr_erp\/crm 11.0.0 alpha
Published Aug 14, 2019
Tracked Since Feb 18, 2026