CVE-2024-31503

Vulnerability

Analysis

An improper access control vulnerability (CWE-284) exists in Dolibarr ERP CRM versions 19.0.0 and earlier. This flaw allows an authenticated attacker to craft a malicious web page that, when interacted with by a victim user, steals the victim's session cookies and CSRF protection tokens [2]. The root cause is incorrect enforcement of access controls, enabling an attacker to bypass expected restrictions and extract sensitive tokens from other users.

Exploitation

Prerequisites

Exploitation requires the attacker to be an authenticated user within the Dolibarr instance [2]. The victim must also be authenticated and interact with the crafted page (e.g., via a link or direct request). The attack is network-based and requires user interaction, as reflected by the CVSS v3.1 vector: AV:N/PR:H/S:C/I:H/AC:H/UI:R/C:H/A:L, with a base score of 7.5 (High) [3]. The complexity is high because the attacker must first be authenticated and then convince a victim to visit the malicious content.

Impact

Successful exploitation allows the attacker to hijack the victim user's session, potentially gaining access to the same privileges as the victim. This can lead to full account takeover, including the ability to view, modify, or delete sensitive data, and in the case of an administrator account, complete control over the ERP/CRM system [3].

Mitigation

The issue is patched in Dolibarr version 19.0.1 [3]. Users running versions prior to 19.0.0 or on 19.0.0 are strongly recommended to upgrade to the patched release. Vendors have released advisory details referencing the GitHub repository [1] and CVE databases [2][3].