Improper Privilege Management in Dolibarr/dolibarr

Valid
Reported on May 19th 2021

💥 BUG

unprivileged user can see all details of a product

💥 STEP TO REPRODUCE

1. From admin account add user B as normal user .
Now dont give any permission for Product module for user B .
So, user B should not see any product details .

2. Now from admin create a product .

3. Finally goto user B account and visit http://localhost/dolibarr/htdocs/product/note.php?id=1 to see product details .
\

💥 VIDEO

https://drive.google.com/file/d/1eWbN2wfsyCmPRaAhEVQcSHsuugNcF_nC/view?usp=sharing

💥 Impact

privilege escalation