CVE-2021-25954

Name of the Vulnerable Software and Affected Versions Dolibarr versions 2.8.1 through 13.0.4

Description The issue is related to inadequate access control in the Dolibarr application, allowing a low-privileged attacker to modify the Private Note, which is only supposed to be accessible by administrators. The affected field is located at the "/adherents/note.php?id=1" endpoint. This could potentially impact the integrity of protected information.

Recommendations For versions 2.8.1 through 13.0.4, consider restricting access to the "/adherents/note.php?id=1" endpoint to prevent unauthorized modification of the Private Note. As a temporary workaround, consider disabling the modification of Private Notes for low-privileged users until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.