CVE-2021-25956

Name of the Vulnerable Software and Affected Versions Dolibarr versions 3.3.beta1 20121221 through 13.0.2

Description The issue allows admin level users to change other user's details but fails to validate already existing Login name, while renaming the user Login. This leads to complete account takeover of the victim user, as the password gets overwritten for the victim user having a similar login name.

Recommendations For versions 3.3.beta1 20121221 through 13.0.2, consider disabling the Modify access for admin level users to change other user's details until a patch is available, or restrict the ability to rename user Login to prevent account takeover. Additionally, monitor user account activity for suspicious changes to login names and passwords.