Description

In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at “/adherents/note.php?id=1” endpoint.

Remediation

References

CVE-2021-25954

Related Vulnerabilities

WordPress Plugin RegistrationMagic-User Registration with Custom Registration Forms Cross-Site Scripting (5.3.2.0)

WordPress Plugin Student Result or Employee Database Security Bypass (1.6.3)

WordPress Plugin ALO EasyMail Newsletter Multiple Vulnerabilities (2.6.00)

ClipBucket Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2012-6644)

WordPress Plugin Tickera-WordPress Event Ticketing Cross-Site Request Forgery (3.4.9.9)

Severity

Medium

Classification

CVE-2021-25954 CWE-863 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Tags

Missing Update Known Vulnerabilities