Improper Privilege Management in Dolibarr/dolibarr

Valid
Reported on May 19th 2021

💥 BUG

privilege escalation bug to delete link

💥 VIDEO POC

https://drive.google.com/file/d/1u1Ni7x4m66W9KE2PwUSkp5d3a33Z1ngM/view?usp=sharing

💥 STEP TO REPRODUCE

1. from admin account goto https://localhost/dolibarr/htdocs/user/home.php?leftmenu=users and add a user B .
Now give this user read-only permission in product module.

2. Now from admin account add a file link in above product .
\

3. Now goto user B account and visit above product .
Here user B can only read but cant write anything .
here visit link url in linked files .

now user B sent bellow request to delete link http://localhost/dolibarr/htdocs/product/document.php?id=1&urlfile=&linkid=1&id=1&action=confirm_deletefile&confirm=yes .
here change linkid paramater value .\

💥 Impact

privilege escalation bug to delete link