जमा करें #818838: Dolibarr ERP CRM 23.0.0 23.0.1 23.0.2 Trusting HTTP Permission Methods on the Server Sideजानकारी

शीर्षकDolibarr ERP CRM 23.0.0 23.0.1 23.0.2 Trusting HTTP Permission Methods on the Server Side
विवरणDolibarr ERP/CRM fails to enforce authorization on the /user/messaging.php endpoint. An authenticated user with zero permissions — including 'Read other users' explicitly disabled — can access the full profile of any user in the system by manipulating the 'id' GET parameter in the URL. The application returns full profile data instead of a 403 Forbidden response. AFFECTED ENDPOINT GET /dolibarr/user/messaging.php?id=[USER_ID] DATA EXPOSED - Username and profile photo - Account status (active/inactive) - Full permission list and count - Account creation and last modification timestamps - Server timezone (inferable from timestamp delta) STEPS TO REPRODUCE 1. Log in with a standard non-admin account (0 permissions, Read other users = OFF) 2. Navigate to: /dolibarr/user/messaging.php?id=1 3. Observe full SuperAdmin profile returned (username, 17 permissions, timestamps) 4. Change id=4 — full profile of dr.bales returned (5 permissions) 5. Increment ID to enumerate all users in the organization IMPACT - Full internal user enumeration across the organization - Permission reconnaissance to identify high-privilege targets - Targeted spear-phishing using harvested usernames and profile photos - Privilege escalation path via SuperAdmin account targeting - Server timezone leak via timestamp delta (UTC+1) PATCH / VENDOR FIX https://github.com/dolibarr/dolibarr/commit/119b3606c7a701747a57a1f18b1a9e7666f678e2 DISCOVERED BY Aksoum Abderrahmane REFERENCES - https://owasp.org/Top10/A01_2021-Broken_Access_Control - https://cwe.mitre.org/data/definitions/639.html
स्रोत⚠️ https://github.com/dolibarr/dolibarr/commit/119b3606c7a701747a57a1f18b1a9e7666f678e2
उपयोगकर्ता
 Abderrahmane Aksoum (UID 97571)
सबमिशन04/05/2026 03:18 PM (1 महीना पहले)
संयम30/05/2026 07:52 AM (26 days later)
स्थितिस्वीकृत
VulDB प्रविष्टि367407 [Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2 messaging.php पहचान अधिकार वृद्धि]
अंक20

पिछलासिंहावलोकनअगला

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!