CVE-2019-11201
Description
Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content. Thus, a lower privileged user of the application can execute code under the context and permissions of the underlying web server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The AI Insight narrative is available to signed-in members. Sign in or create a free account to read it.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | < 9.0.3 | 9.0.3 |
Affected products
2- Dolibarr/ERP/CRMdescription
Patches
Discovered fix commits and diffs is available to signed-in members. Sign in or create a free account to read it.
Vulnerability mechanics
Root cause
"Missing sanitization of PHP code in the website module's WYSIWYG editor allows injection of arbitrary PHP instructions that are executed server-side."
Attack vector
A low-privileged authenticated user sends a POST request to `/dolibarr/website/index.php` with `action=updatesource` and a `PAGE_CONTENT` field containing embedded PHP code (e.g., `shell_exec(...)`). The attacker must also check a setting on the same page that enables inclusion of dynamic content [ref_id=1]. The server then evaluates the injected PHP code, allowing arbitrary command execution under the www-data user context. The proof-of-concept request in the advisory demonstrates a reverse shell being spawned [ref_id=1].
Affected code
The vulnerability resides in `htdocs/website/index.php` and `htdocs/core/lib/website.lib.php`. The `website` module's WYSIWYG editor allowed inclusion of dynamic PHP code via the `PAGE_CONTENT` parameter without adequate sanitization. The patch introduces a new function `dolKeepOnlyPhpCode()` in `website.lib.php` and adds a security analysis block in `index.php` that scans extracted PHP code for forbidden commands [patch_id=1703077].
What the fix does
The patch adds `dolKeepOnlyPhpCode()` in `website.lib.php` to extract only the PHP code segments from the page content, then in `index.php` it scans those segments for a blacklist of dangerous PHP functions (e.g., `exec`, `system`, `shell_exec`, `proc_open`). If the global option `WEBSITE_PHP_ALLOW_WRITE` is not enabled, file-writing functions such as `fopen`, `fwrite`, and `unlink` are also blocked. When a forbidden function is detected, an error is raised and the save action is prevented [patch_id=1703077]. This closes the code injection vector by rejecting content that contains dangerous PHP instructions before it is stored or evaluated.
Preconditions
- authAttacker must be an authenticated user with access to the website module
- configThe website module must be enabled in Dolibarr
- configAttacker must check the setting on the page that enables inclusion of dynamic PHP content
- inputAttacker sends crafted POST request to /dolibarr/website/index.php with PHP code in PAGE_CONTENT
Reproduction
Send a POST request to `/dolibarr/website/index.php` with the following multipart form data (adjust token, website name, and pageid as needed): `action=updatesource`, `token=
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-jwg3-v9xm-v6q9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-11201ghsaADVISORY
- github.com/Dolibarr/dolibarr/commit/63c0ab93fb21f86c1b736061af9fa1eee90148fdghsaWEB
- github.com/Dolibarr/dolibarr/issues/10984ghsaWEB
- know.bishopfox.com/advisories/dolibarr-version-9-0-1-vulnerabilitiesghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.