Improper Privilege Management in dolibarr/dolibarr


Reported on

May 23rd 2021


unprivileged user can attach agenda with leave.


user who dont have any access in leave can add agenda to this leave


dolibarr 14.0.0-beta


1. First goto admin account and add user B as normal user .
Now give user B bellow permission for Agenda module .

-->Read actions (events or tasks) linked to his user account (if owner of event or just assigned to)
-->Create/modify actions (events or tasks) linked to his user account (if owner of event)

Now dont give any permission for Leave Request Management module .

So, user B cant see any leave .

2. Now from admin account goto HRM module and add a new leave .Leave aprooval and owner of this leave will be admin himself .

3. Finally goto user B account and visit url http://localhost/dolibarr-develop/htdocs/comm/action/card.php?action=create&datep=20210523091745&origin=holiday&originid=1&backtopage=%2Fdolibarr-develop%2Fhtdocs%2Fholiday%2Fcard.php%3Fid%3D1 . Now user B will get a form to created a agenda . After submiiting the form this agenda will be attached to above created leave .

So, user B dont have any permission in leave management but still can attach agenda to a leave .

Laurent Destailleur validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur marked this as fixed with commit 96436c 2 years ago
Laurent Destailleur has been awarded the fix bounty
to join this conversation