CVE-2023-38887
Description
File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
File upload vulnerability in Dolibarr ERP/CRM <=17.0.1 allows remote attackers to execute arbitrary code and obtain sensitive information through flawed extension filtering and renaming.
Vulnerability
Overview
CVE-2023-38887 is a file upload vulnerability in Dolibarr ERP CRM version 17.0.1 and earlier. The software fails to properly validate file extensions and rename uploaded files, allowing an attacker to bypass security controls. This flaw stems from insufficient filtering of file types and inadequate renaming logic, enabling the upload of malicious files [1][2].
Exploitation
Conditions
A remote attacker can exploit this vulnerability by sending a specially crafted file upload request to the Dolibarr web interface. No authentication is explicitly required, as the default configuration may expose file upload functionality to unauthenticated users. The attack surface is the document management module, which accepts file uploads without proper validation [2].
Impact
Successful exploitation allows arbitrary code execution on the underlying server. An attacker can upload a PHP web shell or other executable files, leading to full system compromise, data theft, and further lateral movement within the network. Additionally, the vulnerability can be used to obtain sensitive information stored on the server [2].
Mitigation
Dolibarr is an actively maintained open-source project [1][4]. Users should upgrade to the latest version of Dolibarr ERP CRM, as the vulnerability affects versions 17.0.1 and earlier. No official workaround is documented, but disabling file upload functionality or applying strict input validation may reduce risk until a patch is applied.
- GitHub - Dolibarr/dolibarr: Dolibarr ERP CRM is a modern software package to manage your company or foundation's activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, ...). it's an open source Web application (written in PHP) designed for businesses of any sizes, foundations and freelancers.
- NVD - CVE-2023-38887
- Dolibarr Open Source ERP and CRM - Web suite for business
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | < 17.0.1 | 17.0.1 |
Affected products
3- Dolibarr/Dolibarr ERP CRMdescription
- osv-coords2 versions
<= 17.0.1+ 1 more
- (no CPE)range: <= 17.0.1
- (no CPE)range: < 17.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.