Pierre Lacombe

Researcher fromElysium Security
#8639of 53,632
31.8Total CVSS
Vulnerabilities · 4
Medium
1
High
3
PT-2020-9600
8.8
2020-01-21
Dimo · Dimo Yellowbox Crm · CVE-2019-14765
**Name of the Vulnerable Software and Affected Versions** DIMO YellowBox CRM versions prior to 6.3.4 **Description** The issue is related to incorrect access control in the `AfficheExplorateurParam()` function, allowing a standard authenticated user to access administrative controllers. **Recommendations** For versions prior to 6.3.4, update to version 6.3.4 or later to resolve the issue.
PT-2020-9601
6.5
2020-01-21
Dimo · Dimo Yellowbox Crm · CVE-2019-14766
**Name of the Vulnerable Software and Affected Versions** DIMO YellowBox CRM versions prior to 6.3.4 **Description** The issue allows a standard authenticated user to browse the server filesystem due to a path traversal vulnerability in the file browser. **Recommendations** For versions prior to 6.3.4, update to version 6.3.4 or later to resolve the issue.
PT-2020-9602
7.5
2020-01-21
Dimo · Dimo Yellowbox Crm · CVE-2019-14767
**Name of the Vulnerable Software and Affected Versions** DIMO YellowBox CRM versions prior to 6.3.4 **Description** The issue allows an unauthenticated user to download arbitrary files from the server due to Path Traversal vulnerabilities in the images/Apparence and servletrecuperefichier endpoints. The `dossier` and `document` parameters are vulnerable to traversal attacks, enabling access to files outside the intended directory. **Recommendations** For versions prior to 6.3.4, update to version 6.3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the images/Apparence and servletrecuperefichier endpoints to prevent unauthenticated users from exploiting the Path Traversal vulnerability. Avoid using the `dossier` and `document` parameters in these endpoints until the issue is resolved.
PT-2020-9603
9.0
2020-01-21
Apache · Apache Tomcat · CVE-2019-14768
**Name of the Vulnerable Software and Affected Versions** DIMO YellowBox CRM versions prior to 6.3.4 **Description** The issue concerns an Arbitrary File Upload problem in the file browser, allowing a standard authenticated user to upload a new WebApp WAR file to the Tomcat server via Path Traversal. This enables remote code execution with SYSTEM privileges. **Recommendations** For versions prior to 6.3.4, update to version 6.3.4 or later to resolve the issue.