We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

/

Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr

Valid

Reported on

Jul 21st 2021

✍️ Description

CSRF bug to remove linked file

🕵️‍♂️ Proof of Concept

bellow request is vulnerable to csrf attack when removing linked file.
https://demo.dolibarr.org/expensereport/card.php?id=202&action=remove_file&file=%28PROV202%29%2F%28PROV202%29.pdf&entity=1

💥 Impact

csrf attack

Occurrences

card.php L70-L150

We have contacted a member of the dolibarr team and are waiting to hear back 2 years ago

ranjit-git modified the report

2 years ago

Laurent Destailleur marked this as fixed with commit c3e885 2 years ago

Laurent Destailleur has been awarded the fix bounty

This vulnerability will not receive a CVE

card.php#L70-L150 has been validated

to join this conversation

We have contacted a member of the dolibarr team and are waiting to hear back 2 years ago

ranjit-git modified the report

2 years ago

Laurent Destailleur marked this as fixed with commit c3e885 2 years ago

Laurent Destailleur has been awarded the fix bounty

This vulnerability will not receive a CVE

card.php#L70-L150 has been validated

to join this conversation