CVE-2019-11201

Name of the Vulnerable Software and Affected Versions Dolibarr ERP/CRM version 9.0.1

Description The issue concerns the website module in Dolibarr ERP/CRM, which includes a WYSIWYG editor for creating public websites. This editor allows the inclusion of dynamic code, potentially leading to code execution on the host machine. An attacker, who must be a lower-privileged user of the application, can exploit this by checking a specific setting on the same page that enables the inclusion of dynamic content. As a result, code can be executed under the context and permissions of the underlying web server.

Recommendations For Dolibarr ERP/CRM version 9.0.1, consider disabling the WYSIWYG editor in the website module until a patch is available to prevent the inclusion of dynamic code and potential code execution. Restrict access to the website module to minimize the risk of exploitation.