Gửi #818838: Dolibarr ERP CRM 23.0.0 23.0.1 23.0.2 Trusting HTTP Permission Methods on the Server Sidethông tin

tiêu đề	Dolibarr ERP CRM 23.0.0 23.0.1 23.0.2 Trusting HTTP Permission Methods on the Server Side
Mô tả	Dolibarr ERP/CRM fails to enforce authorization on the /user/messaging.php endpoint. An authenticated user with zero permissions — including 'Read other users' explicitly disabled — can access the full profile of any user in the system by manipulating the 'id' GET parameter in the URL. The application returns full profile data instead of a 403 Forbidden response. AFFECTED ENDPOINT GET /dolibarr/user/messaging.php?id=[USER_ID] DATA EXPOSED - Username and profile photo - Account status (active/inactive) - Full permission list and count - Account creation and last modification timestamps - Server timezone (inferable from timestamp delta) STEPS TO REPRODUCE 1. Log in with a standard non-admin account (0 permissions, Read other users = OFF) 2. Navigate to: /dolibarr/user/messaging.php?id=1 3. Observe full SuperAdmin profile returned (username, 17 permissions, timestamps) 4. Change id=4 — full profile of dr.bales returned (5 permissions) 5. Increment ID to enumerate all users in the organization IMPACT - Full internal user enumeration across the organization - Permission reconnaissance to identify high-privilege targets - Targeted spear-phishing using harvested usernames and profile photos - Privilege escalation path via SuperAdmin account targeting - Server timezone leak via timestamp delta (UTC+1) PATCH / VENDOR FIX https://github.com/dolibarr/dolibarr/commit/119b3606c7a701747a57a1f18b1a9e7666f678e2 DISCOVERED BY Aksoum Abderrahmane REFERENCES - https://owasp.org/Top10/A01_2021-Broken_Access_Control - https://cwe.mitre.org/data/definitions/639.html
Nguồn	⚠️ https://github.com/dolibarr/dolibarr/commit/119b3606c7a701747a57a1f18b1a9e7666f678e2
Người dùng	Abderrahmane Aksoum (UID 97571)
Đệ trình	04/05/2026 15:18 (cách đây 1 tháng)
Kiểm duyệt	30/05/2026 07:52 (26 days later)
Trạng thái	được chấp nhận
Mục VulDB	367407 [Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2 messaging.php ID nâng cao đặc quyền]
điểm	20

◂ Trước Tổng Quan Tiếp theo ▸

Interested in the pricing of exploits?

See the underground prices here!