| Title | Dolibarr Dolibarr ERP/CRM up to 23.0.3 Missing Authorization |
|---|
| Description | Dolibarr ERP/CRM versions up to 23.0.2 contain a missing authorization check in the filemanagerdol integration. The endpoints /dolibarr/core/filemanagerdol/browser/default/browser.php and /dolibarr/core/filemanagerdol/connectors/php/connector.php only verify session existence but do not enforce permission checks. As a result, any authenticated user even with zero permissions can access the file manager interface, create directories, Change company logo and upload files to the server. This bypasses Dolibarr’s permission system and allows unauthorized file system access, directory creation, and file uploads. Depending on server configuration, this may lead to privilege escalation or remote code execution.
Two accounts created:
Account A: Administrator
Account B: Regular user with zero permissions (confirmed via /dolibarr/user/perms.php)
Steps to Reproduce:
Login as Account B (zero‑permission user).
Navigate directly to the vulnerable endpoint:
Code
http://localhost/dolibarr/core/filemanagerdol/browser/default/browser.php?Type=Image&Connector=/dolibarr/core/filemanagerdol/connectors/php/connector.php
The file manager interface loads successfully no access denied, no redirect, no permission error.
Use the “NOUVEAU REPERTOIRE” button to create a folder on the server.
Result: Folder creation succeeds.
Use the UPLOAD button to upload an image file into that folder.
Result: Upload succeeds.
Logout Account B and Login Account A (Administrator).
Navigate to the same endpoint.
Result: The folder and file created by Account B are fully visible and accessible.
This PoC shows clearly that any authenticated user can upload images and even change the company logo, which is a direct business impact beyond technical severity.
impact:
Privilege boundary violation (zero‑permission users gain write access).
Unauthorized file system access, including sensitive paths.
Arbitrary directory creation and file uploads.
Potential escalation to RCE via crafted uploads .
Exposure of company data across shared Dolibarr instances.
Acknowledgment / Credit
This vulnerability was reported by Aksoum Abderrahmane and has been acknowledged and credited in the Dolibarr project’s official release notes for version 23.0.3.
Fix commit: https://github.com/dolibarr/dolibarr/commit/f1b2dd6481e22cacb561d29ffdcd3a50b618479d
Release notes: https://github.com/Dolibarr/dolibarr/releases
The Dolibarr maintainers confirmed the issue and applied a patch, with public credit given to the reporter in both the commit and the release catalog.
References:
Dolibarr commit with fix and credit
Dolibarr 23.0.3 release notes with credit
CWE‑284: Improper Access Control
CWE‑434: Unrestricted File Upload
OWASP A01:2021 — Broken Access Control
Reporter: Aksoum Abderrahmane (credited in commit and release notes) |
|---|
| User | Abderrahmane Aksoum (UID 97571) |
|---|
| Submission | 05/20/2026 11:41 (21 days ago) |
|---|
| Moderation | 06/08/2026 22:13 (19 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 369300 [Dolibarr ERP CRM up to 23.0.2 Legacy Filemanager config.inc.php improper authorization] |
|---|
| Points | 17 |
|---|