Improper Authorization in dolibarr/dolibarr


Reported on

Nov 19th 2021


I found an IDOR in Dolibarr

In login with demo:demo then open Agenda section

first, I Change all permissions of demo user in Reception to None

second, I can't see the Receptions List in Products at all

But I am able to see following Reception

We are processing your report and will contact the dolibarr team within 24 hours. 12 days ago
Laurent Destailleur validated this vulnerability 11 days ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur confirmed that a fix has been merged on 63cd06 11 days ago
Laurent Destailleur has been awarded the fix bounty
card.php#L1-L2883 has been validated
card.php#L1-L329 has been validated
card.php#L1-L2727 has been validated
card.php#L1-L346 has been validated
bom_card.php#L1-L718 has been validated
photos.php#L1-L267 has been validated has been validated