CVE-2021-33816
Description
The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dolibarr 13.0.2 website builder module allows authenticated remote code execution via backticks due to incomplete command injection filtering.
Vulnerability
The website builder module in Dolibarr 13.0.2 contains an incomplete protection mechanism against PHP code injection. The application blocks dangerous functions such as system, exec, and shell_exec, but fails to block backticks (` `), which are syntactically equivalent to shell_exec()`. This allows an authenticated user with access to the website builder to inject arbitrary PHP code. The vulnerability affects Dolibarr version 13.0.2 [1][2][3].
Exploitation
An attacker must be authenticated and have sufficient privileges to use the website builder module. The attacker sends a crafted POST request to /website/index.php containing malicious PHP code enclosed in backticks within the website content. The advisory by Trovent Security provides a full HTTP request example demonstrating the exploitation. The application then executes the backtick-enclosed command as PHP code, leading to remote code execution [3].
Impact
Successful exploitation results in remote code execution (RCE) as the web server user. The attacker can execute arbitrary system commands, potentially leading to full compromise of the Dolibarr instance, data exfiltration, or lateral movement within the network. The CVSS score is 9.1 (Critical) with high impact on confidentiality, integrity, and availability [3].
Mitigation
As of the advisory publication date (June 2021), no official patch was available. Users should upgrade to a version beyond 13.0.2 if a fix has been released. As a workaround, restrict access to the website builder module to trusted users only. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog [3].
- GitHub - Dolibarr/dolibarr: Dolibarr ERP CRM is a modern software package to manage your company or foundation's activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, ...). it's an open source Web application (written in PHP) designed for businesses of any sizes, foundations and freelancers.
- NVD - CVE-2021-33816
- Security Advisory 2106-01
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | >= 13.0.2, < 14.0.0 | 14.0.0 |
Affected products
3- Dolibarr/website builder moduledescription
- osv-coords2 versions
>= 13.0.2, <= 13.0.2+ 1 more
- (no CPE)range: >= 13.0.2, <= 13.0.2
- (no CPE)range: >= 13.0.2, < 14.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-vxr9-p2xw-m8cfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-33816ghsaADVISORY
- seclists.org/fulldisclosure/2021/Nov/39ghsamailing-listx_refsource_FULLDISCWEB
- trovent.github.io/security-advisories/TRSA-2106-01/TRSA-2106-01.txtghsax_refsource_MISCWEB
- trovent.io/security-advisory-2106-01ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.