Dolibarr ERP CRM (<= 17.0.3) Improper Access Control
Description
Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated users with low privileges can read the third-party customer database table in Dolibarr ERP CRM ≤17.0.3 via the ajaxcompanies.php endpoint due to missing authorization checks.
Vulnerability
CVE-2023-4198 is an improper access control vulnerability in Dolibarr ERP CRM versions up to and including 17.0.3. The bug stems from missing authorization checks in the ajaxcompanies.php endpoint, which allows an authenticated user with low privileges to read the entire third-party (customer/supplier) database table. The official description confirms that the issue affects the select_company function, which previously had no filter to restrict which company records a low-privileged user could enumerate [1][2][4].
Exploitation
An attacker needs only low-privileged (authenticated) access to the Dolibarr instance. The attack does not require any special administrative permissions. The ajaxcompanies.php endpoint, used for dynamic company selection in various forms, lacks proper server-side authorization checks. By sending crafted requests to that endpoint, an attacker can retrieve the full list of companies, including customers, prospects, and suppliers [4]. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms the attack is network-based, requires low attacker privileges, and has no user interaction [4].
Impact
Successful exploitation leads to the disclosure of sensitive third-party customer data stored in the database. This includes names, contact information, addresses, and other potentially business-critical details about an organization's clients and partners. The confidentiality impact is rated as High in the CVSS score, while integrity and availability remain unaffected [4].
Mitigation
The vulnerability has been patched in the Dolibarr codebase via commit 3065b9c [1][2]. In the fix, hardcoded SQL filters (such as s.client IN (1,3) or s.fournisseur = 1) were moved to variables, but more importantly, the commit refactors the code to apply proper access control checks before returning company data. Administrators are advised to upgrade to Dolibarr version 17.0.4 or later. As of the advisory publication date (October 11, 2023), no workaround has been published, and the CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | < 18.0.0 | 18.0.0 |
Affected products
3- osv-coords2 versions
<= 17.0.3+ 1 more
- (no CPE)range: <= 17.0.3
- (no CPE)range: < 18.0.0
- Dolibarr/Dolibarr ERP CRMv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/Dolibarr/dolibarr/commit/3065b9ca6ade988e8d7a8a8550415c0abb56b9cbghsapatchWEB
- github.com/advisories/GHSA-48v2-596x-4jr9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-4198ghsaADVISORY
- starlabs.sg/advisories/23/23-4198ghsathird-party-advisoryWEB
- github.com/Dolibarr/dolibarr/commit/3065b9ca6ade988e8d7a8a8550415c0abb56b9cbghsaWEB
News mentions
0No linked articles in our index yet.