CVE-2019-15062
HIGHDolibarr 11.0.0-alpha - Cross-Site Request Forgery via Linked Files Settings Page
Title source: llmDescription
An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)
References (2)
Core 2
Core References
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/Dolibarr/dolibarr/issues/11671
Exploit, Third Party Advisory x_refsource_misc
https://gauravnarwani.com/publications/CVE-2019-15062/
Scores
CVSS v3
8.0
EPSS
0.0062
EPSS Percentile
45.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (2)
dolibarr/dolibarr
10.0 - 10.0.2Packagist
dolibarr/dolibarr_erp\/crm
11.0.0 alpha
Published
Aug 14, 2019
Tracked Since
Feb 18, 2026