Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr

Valid

Reported on

Jul 21st 2021

✍️ Description

CSRF bug to validate inventory

🕵️‍♂️ Proof of Concept

Here it does not check token parameter for csrf .You can remove token paramater from url. bellow request is vulnerable to csrf attack when validate inventory .
https://demo.dolibarr.org/product/inventory/inventory.php?id=1&action=confirm_validate&confirm=yes

💥 Impact

csrf attack

We have contacted a member of the dolibarr team and are waiting to hear back 2 years ago

ranjit-git modified the report

2 years ago

ranjit-git modified the report

2 years ago

Laurent Destailleur marked this as fixed with commit 858a5a 2 years ago

Laurent Destailleur has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the dolibarr team and are waiting to hear back 2 years ago

ranjit-git modified the report

2 years ago

ranjit-git modified the report

2 years ago

Laurent Destailleur marked this as fixed with commit 858a5a 2 years ago

Laurent Destailleur has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation