Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr


Reported on

Jul 21st 2021

✍️ Description

CSRF bug to remove third-party from sales-order

🕵️‍♂️ Proof of Concept

Here it does not check token parameter for csrf .You can remove token paramater from url. bellow request is vulnerable to csrf attack when removing third-party from sales-order .

💥 Impact

csrf attack


We have contacted a member of the dolibarr team and are waiting to hear back a year ago
Laurent Destailleur confirmed that a fix has been merged on 62b721 a year ago
Laurent Destailleur has been awarded the fix bounty
index.php#L74 has been validated
to join this conversation