CVE-2020-14209

Name of the Vulnerable Software and Affected Versions Dolibarr versions prior to 11.0.5

Description The issue allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This is possible because files with .pht and .phar extensions can be uploaded. Additionally, a .htaccess file can be uploaded to reconfigure access control, such as allowing .noexe files to be executed as PHP code, thereby defeating the .noexe protection mechanism.

Recommendations For versions prior to 11.0.5, update to version 11.0.5 or later to resolve the issue. As a temporary workaround, consider restricting file uploads to only trusted users and disabling the execution of .pht, .phar, and .noexe files as PHP code until a patch is applied. Restrict access to the file upload feature to minimize the risk of exploitation.