CVE-2020-13240

CVSS v2.0

5.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Dolibarr version 11.0.4

Description The issue allows users with the 'Setup documents directories' permission to rename uploaded files, giving them insecure file extensions. This bypasses the .noexe protection mechanism, potentially leading to XSS attacks.

Recommendations For Dolibarr version 11.0.4, consider restricting the 'Setup documents directories' permission to trusted users until a patch is available. As a temporary workaround, monitor file uploads and renaming activities closely to minimize the risk of exploitation.

Exploit

Fix

XSS

Exposure of Resource to Wrong Sphere

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-668CWE-276

Related Identifiers

BIT-DOLIBARR-2020-13240

CVE-2020-13240

GHSA-F848-R5G6-6GPF

Affected Products

Dolibarr

CVE-2020-13240

Weakness Enumeration

Related Identifiers

Affected Products

References · 10