CVE-2024-37821
Description
An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dolibarr ERP CRM up to v19.0.1 allows arbitrary file upload in the Upload Template function, enabling attackers to execute arbitrary code via crafted .SQL files.
Vulnerability
An arbitrary file upload vulnerability exists in the Upload Template function of Dolibarr ERP CRM versions up to v19.0.1. The application fails to properly validate uploaded files, allowing an attacker to upload a crafted .SQL file, which can contain malicious SQL statements. This vulnerability is classified as CWE-89: SQL Injection [4].
Exploitation
To exploit this vulnerability, an attacker must have the ability to upload a website template. By uploading a specially crafted .SQL file, the attacker can inject SQL statements that are executed when the template is processed by the application. The attack vector is remote, with high privileges required (PR:H), and user interaction is required (UI:R) [4].
Impact
Successful exploitation allows the attacker to execute arbitrary code on the underlying system, potentially leading to privilege escalation and full compromise of the application. The CVSS base score is 8.4 (High), indicating significant impact on confidentiality, integrity, and availability [4].
Mitigation
The vulnerability has been addressed in Dolibarr version 19.0.2. Users are strongly advised to upgrade to this version or later. As of the publication date, no workarounds have been documented [1][4].
- GitHub - Dolibarr/dolibarr: Dolibarr ERP CRM is a modern software package to manage your company or foundation's activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, ...). it's an open source Web application (written in PHP) designed for businesses of any sizes, foundations and freelancers.
- CVEs/2024/CVE-2024-37821.md at master · alexbsec/CVEs
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | < 19.0.2 | 19.0.2 |
Affected products
3- Dolibarr/ERP CRMdescription
- osv-coords2 versions
< 19.0.2+ 1 more
- (no CPE)range: < 19.0.2
- (no CPE)range: < 19.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-p7r8-7w87-8g46ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-37821ghsaADVISORY
- dolibarr.comghsaWEB
- github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-37821.mdghsaWEB
News mentions
0No linked articles in our index yet.