CVE-2021-25956

MEDIUM

Dolibarr 3.3.beta1_20121221-13.0.2 - Authenticated Account Takeover via User Login Rename

Title source: llm
STIX 2.1

Description

In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.

References (2)

Core 2

Scores

CVSS v3 4.7
EPSS 0.0094
EPSS Percentile 56.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Details

CWE
CWE-284
Status published
Products (3)
dolibarr/dolibarr 3.3.1 - 13.0.2
dolibarr/dolibarr 3.3.beta1 - 14.0.0Packagist
dolibarr/dolibarr_erp\/crm 3.3.0 beta1 (2 CPE variants)
Published Aug 17, 2021
Tracked Since Feb 18, 2026