CVE-2024-29477
Description
Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the network to execute arbitrary code via a specifically crafted input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Lack of input sanitization during the installation process in Dolibarr ERP CRM up to 19.0.0 allows adjacent attackers to execute arbitrary code via crafted input.
Vulnerability
Overview CVE-2024-29477 is a code injection vulnerability in Dolibarr ERP CRM versions up to 19.0.0. The lack of input sanitization during the installation process allows an attacker to inject arbitrary code [2]. This flaw is classified under CWE-94: Improper Control of Generation of Code ('Code Injection') [4].
Exploitation
An attacker with adjacent network access can exploit this vulnerability by providing a specifically crafted input during the installation [2]. No authentication is required as the installation process is typically exposed before the application is fully configured. The attack vector is adjacent network (CVSS: AV:A) [4].
Impact
Successful exploitation leads to arbitrary code execution on the target system, potentially resulting in full compromise of the Dolibarr instance [4]. The CVSS base score is 8.4 (High) with high impact on confidentiality, integrity, and availability [4].
Mitigation
The vulnerability has been fixed in Dolibarr version 19.0.1 [4]. Users are advised to update immediately. There is no workaround reported, but disabling remote access to the installation script may reduce risk.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | <= 19.0.0 | — |
Affected products
3- Dolibarr/Dolibarr ERP CRMdescription
- osv-coords2 versions
< 19.0.1+ 1 more
- (no CPE)range: < 19.0.1
- (no CPE)range: <= 19.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-p73x-rpgm-3v56ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-29477ghsaADVISORY
- dolibarr.comghsaWEB
- github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-29477.mdghsaWEB
News mentions
0No linked articles in our index yet.