CVE-2023-33568

Vulnerability

Overview

CVE-2023-33568 is an authentication bypass vulnerability in Dolibarr ERP/CRM versions 16.x prior to 16.0.5. The issue resides in the file htdocs/public/ticket/ajax/ajax.php, which is accessible without authentication. An unauthenticated attacker can exploit this script to dump the entire contact database, including customers, prospects, suppliers, and employee information, as well as public and private notes associated with those contacts [1][2][3]. The root cause is insufficient access control on the AJAX endpoint, which fails to verify the user's session before processing requests [3].

Exploitation and

Attack Surface

The vulnerability can be exploited remotely by sending crafted HTTP requests to the vulnerable script without any prior authentication. The attacker needs only network access to the Dolibarr instance (e.g., over the internet or local network). The exploit does not require any special privileges or user interaction, making it easy to automate [3]. The vulnerable script was present in all version 16.x releases from 16.0.0 through 16.0.4 [4][3].

Impact

Successful exploitation allows an attacker to retrieve the full database of contact records, which may include sensitive personal and business information. This data breach can lead to identity theft, targeted phishing, competitive intelligence gathering, and reputational damage for the affected organization [3]. The vulnerability is marked as critical due to the high confidentiality impact and low attack complexity.

Mitigation

The vulnerability was fixed in Dolibarr version 16.0.5, released on 2023-03-22 [3][4]. Users are strongly advised to upgrade to 16.0.5 or later, or replace the vulnerable ajax.php file with the patched version provided by the vendor [4]. Version 15 and earlier versions are not affected, nor is version 17 [4]. No workaround other than applying the patch is available. The CVE was published on 2023-06-13 [2].