Description
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…). At time of publication, there are no publicly available patches.
Remediation
References
Related Vulnerabilities
Envoy Proxy Incorrect Authorization Vulnerability (CVE-2026-26308)
Apache HTTP Server Resource Management Errors Vulnerability (CVE-2007-6423)
Python Improper Restriction of XML External Entity Reference Vulnerability (CVE-2017-9233)
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-1836)