Full Disclosure mailing list archives
Re: [oss-security] Dolibarr ERP & CRM - Multiple Issues
From: Stefan Pietsch <stefan.pietsch () foxmole com>
Date: Wed, 17 May 2017 22:08:25 +0200
On 10.05.2017 10:28, FOXMOLE Advisories wrote:
=== FOXMOLE - Security Advisory 2017-02-23 ===
Dolibarr ERP & CRM - Multiple Issues
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected Versions
=================
Dolibarr 4.0.4
Issue Overview
==============
Vulnerability Type: SQL Injection, Cross Site Scripting,
Weak Hash Algorithm without Salt, Weak Password Change Method
Technical Risk: critical
Likelihood of Exploitation: medium
Vendor: Dolibarr
Vendor URL: https://www.dolibarr.org/
Credits: FOXMOLE employees Tim Herres and Stefan Pietsch
Advisory URL: https://www.foxmole.com/advisories/foxmole-2017-02-23.txt
Advisory Status: Public
OVE-ID: OVE-20170223-0001
CVE Number: CVE-2017-7886, CVE-2017-7887, CVE-2017-7888
CVE URL: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7886
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7887
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7888
CWE-ID: CWE-79, CWE-89, CWE-327, CWE-620, CWE-759
CVSS 2.0: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
--- snip --- Here is a small update to our security advisory. An additional CVE ID got assigned for the password change finding: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8879 Meanwhile the Dolibarr developers fixed more possible SQL injection bugs in this git commit: https://github.com/Dolibarr/dolibarr/commit/fa290c34fad108ec7c0751c0372ae9c4b4f63b06 They still didn't release a fixed version of the Dolibarr software. For CVE-2017-7886 I don't agree with the CVSS v2 scoring from the NIST. They rated "Confidentiality Impact" as partial while I think it is complete as we have full access to all tables. Regards, Stefan
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: [oss-security] Dolibarr ERP & CRM - Multiple Issues Stefan Pietsch (May 19)
- Re: [oss-security] Dolibarr ERP & CRM - Multiple Issues Brandon Perry (May 19)