Dolibarr ERP CRM (<= 18.0.1) Improper Input Sanitization Authenticated RCE

The vulnerability resides in the Website creation feature of Dolibarr ERP CRM versions up to 18.0.1. The application improperly validates user-supplied input when creating a website, failing to strip PHP code such as <?php ... ?> tags. This allows an attacker to inject arbitrary PHP code into the input, which is then evaluated by the server. The root cause is insufficient input sanitization, classified as CWE-20: Improper Input Validation [1][3].

To exploit this vulnerability, an attacker must have a low-privileged account on the Dolibarr instance and network access to the web interface. The attack complexity is rated as high (AC:H) because exploitation may require specific conditions or knowledge of the injection point. However, no user interaction is required, and the attack vector is network-based. The vulnerability is triggered during the creation of a website, where the injected PHP code is stored and later executed [1].

Successful exploitation allows the attacker to execute arbitrary PHP code with the privileges of the web server. This can lead to full compromise of confidentiality, integrity, and availability of the system, including reading sensitive data, modifying files, or executing system commands. The CVSS v3.1 base score is 7.5 (High) with vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [3].

The issue has been fixed in later versions of Dolibarr. The commit 0ed6a63 addresses the vulnerability by adding proper input validation and stripping PHP code from user input [4]. Users are strongly advised to upgrade to a patched version. There is no known workaround, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) as of the publication date.