CVE-2021-25954

In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at “/adherents/note.php?id=1” endpoint.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/Dolibarr/dolibarr/commit/8cc100012d46282799fb19f735a53b7101569377	Patch Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25954	Third Party Advisory
https://github.com/Dolibarr/dolibarr/commit/8cc100012d46282799fb19f735a53b7101569377	Patch Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25954	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dolibarr:dolibarr:*:*:*:*:*:*:*:*

History

21 Nov 2024, 05:55

Type	Values Removed	Values Added
References	~~() https://github.com/Dolibarr/dolibarr/commit/8cc100012d46282799fb19f735a53b7101569377 - Patch, Third Party Advisory~~	() https://github.com/Dolibarr/dolibarr/commit/8cc100012d46282799fb19f735a53b7101569377 - Patch, Third Party Advisory
References	~~() https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25954 - Third Party Advisory~~	() https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25954 - Third Party Advisory

Information

Published : 2021-08-09 17:15

Updated : 2024-11-21 05:55

NVD link : CVE-2021-25954

Mitre link : CVE-2021-25954

CVE.ORG link : CVE-2021-25954

JSON object : View

Products Affected

dolibarr

dolibarr

CWE

CWE-284

Improper Access Control

CWE-863

Incorrect Authorization

{"id": "CVE-2021-25954", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "vulnerabilitylab@mend.io", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2021-08-09T17:15:07.307", "references": [{"url": "https://github.com/Dolibarr/dolibarr/commit/8cc100012d46282799fb19f735a53b7101569377", "tags": ["Patch", "Third Party Advisory"], "source": "vulnerabilitylab@mend.io"}, {"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25954", "tags": ["Third Party Advisory"], "source": "vulnerabilitylab@mend.io"}, {"url": "https://github.com/Dolibarr/dolibarr/commit/8cc100012d46282799fb19f735a53b7101569377", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25954", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "vulnerabilitylab@mend.io", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "In \u201cDolibarr\u201d application, 2.8.1 to 13.0.4 don\u2019t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at \u201c/adherents/note.php?id=1\u201d endpoint."}, {"lang": "es", "value": "En la aplicaci\u00f3n Dolibarr, versiones 2.8.1 hasta 13.0.4, no se restringe o se restringe incorrectamente el acceso a un recurso de un actor no autorizado. Un atacante poco privilegiado puede modificar la Nota Privada que s\u00f3lo un administrador tiene derechos para hacer, el campo afectado se encuentra en el endpoint \"/adherents/note.php?id=1\""}], "lastModified": "2024-11-21T05:55:40.020", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dolibarr:dolibarr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EEDBE20F-CD40-424A-9E8E-A8A941B5BFCB", "versionEndIncluding": "13.0.4", "versionStartIncluding": "2.8.1"}], "operator": "OR"}]}], "sourceIdentifier": "vulnerabilitylab@mend.io"}