CVE-2021-25956 MEDIUM

CVE-2021-25956: Improper User Access Control in "Dolibarr" Leads to Account Takeover

Vendor Dolibarr
Product dolibarr
Weakness CWE-284
Published August 17, 2021
Last update September 16, 2024

CVSS base score

4.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.

Key dates

02Disclosure timeline

August 17, 2021 CVE published
September 16, 2024 Record updated