Отправить #818838: Dolibarr ERP CRM 23.0.0 23.0.1 23.0.2 Trusting HTTP Permission Methods on the Server SideИнформация

НазваниеDolibarr ERP CRM 23.0.0 23.0.1 23.0.2 Trusting HTTP Permission Methods on the Server Side
ОписаниеDolibarr ERP/CRM fails to enforce authorization on the /user/messaging.php endpoint. An authenticated user with zero permissions — including 'Read other users' explicitly disabled — can access the full profile of any user in the system by manipulating the 'id' GET parameter in the URL. The application returns full profile data instead of a 403 Forbidden response. AFFECTED ENDPOINT GET /dolibarr/user/messaging.php?id=[USER_ID] DATA EXPOSED - Username and profile photo - Account status (active/inactive) - Full permission list and count - Account creation and last modification timestamps - Server timezone (inferable from timestamp delta) STEPS TO REPRODUCE 1. Log in with a standard non-admin account (0 permissions, Read other users = OFF) 2. Navigate to: /dolibarr/user/messaging.php?id=1 3. Observe full SuperAdmin profile returned (username, 17 permissions, timestamps) 4. Change id=4 — full profile of dr.bales returned (5 permissions) 5. Increment ID to enumerate all users in the organization IMPACT - Full internal user enumeration across the organization - Permission reconnaissance to identify high-privilege targets - Targeted spear-phishing using harvested usernames and profile photos - Privilege escalation path via SuperAdmin account targeting - Server timezone leak via timestamp delta (UTC+1) PATCH / VENDOR FIX https://github.com/dolibarr/dolibarr/commit/119b3606c7a701747a57a1f18b1a9e7666f678e2 DISCOVERED BY Aksoum Abderrahmane REFERENCES - https://owasp.org/Top10/A01_2021-Broken_Access_Control - https://cwe.mitre.org/data/definitions/639.html
Источник⚠️ https://github.com/dolibarr/dolibarr/commit/119b3606c7a701747a57a1f18b1a9e7666f678e2
Пользователь
 Abderrahmane Aksoum (UID 97571)
Представление04.05.2026 15:18 (1 месяц назад)
Модерация30.05.2026 07:52 (26 days later)
Статуспринято
Запись VulDB367407 [Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2 messaging.php ИД эскалация привилегий]
Баллы20

ПредыдущийОбзорДалее

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!