CVE-2021-33816
CRITICALDolibarr 13.0.2 - Remote Code Execution via Website Builder Backtick Injection
Title source: llmDescription
The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://trovent.io/security-advisory-2106-01
Exploit, Third Party Advisory x_refsource_misc
https://trovent.github.io/security-advisories/TRSA-2106-01/TRSA-2106-01.txt
Exploit, Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2021/Nov/39
Scores
CVSS v3
9.8
EPSS
0.0382
EPSS Percentile
88.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (2)
dolibarr/dolibarr
13.0.2 - 14.0.0Packagist
dolibarr/dolibarr_erp\/crm
13.0.2
Published
Nov 10, 2021
Tracked Since
Feb 18, 2026