Arthur Valverde M

**Name of the Vulnerable Software and Affected Versions** Dolibarr ERP CRM versions up to 19.0.1 **Description** The issue concerns an arbitrary file upload vulnerability in the Upload Template function. This vulnerability allows attackers to execute arbitrary code by uploading a crafted .SQL file. **Recommendations** For versions up to 19.0.1, consider disabling the Upload Template function until a patch is available to prevent exploitation. Restrict access to the Upload Template feature to minimize the risk of arbitrary code execution.

**Name of the Vulnerable Software and Affected Versions** Dolibarr ERP CRM versions 19.0.0 and before **Description** The issue allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover. This occurs due to incorrect access control in the software. **Recommendations** For versions 19.0.0 and before, update to a version that includes the necessary access control fixes to prevent session cookie and CSRF token theft. As a temporary workaround, consider restricting user interaction with crafted web pages to minimize the risk of exploitation.