Andrea Gonzalez

**Name of the Vulnerable Software and Affected Versions** Dolibarr versions prior to 11.0.5 **Description** The issue allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This is possible because files with .pht and .phar extensions can be uploaded. Additionally, a .htaccess file can be uploaded to reconfigure access control, such as allowing .noexe files to be executed as PHP code, thereby defeating the .noexe protection mechanism. **Recommendations** For versions prior to 11.0.5, update to version 11.0.5 or later to resolve the issue. As a temporary workaround, consider restricting file uploads to only trusted users and disabling the execution of .pht, .phar, and .noexe files as PHP code until a patch is applied. Restrict access to the file upload feature to minimize the risk of exploitation.