Miggo Logo
Miggo Vulnerability Database
CVE-2017-14240

CVE-2017-14240:
Dolibarr ERP and CRM Sensitive Data Disclosure

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-14240
GHSA ID
GHSA-p9wf-x8h5-44fr
EPSS Score
0.50222%
CWE
CWE-200
Published
5/17/2022
Updated
9/18/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
dolibarr/dolibarrcomposer<= 6.0.06.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of the 'file' parameter in document.php. The commit diff shows critical changes where $original_file (derived from user input) was replaced with $fullpath_original_file after security checks. Pre-patch versions lacked adequate validation for directory traversal patterns (../) and dangerous characters, allowing attackers to disclose sensitive files by manipulating the file parameter. The code directly used user input to build filesystem paths without proper normalization, matching the CWE-200 exposure pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**r* is * s*nsitiv* in*orm*tion *is*losur* vuln*r**ility in *o*um*nt.p*p in *oli**rr *RP/*RM v*rsion *.*.* vi* t** *il* p*r*m*t*r.

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* t** '*il*' p*r*m*t*r in *o*um*nt.p*p. T** *ommit *i** s*ows *riti**l ***n**s w**r* $ori*in*l_*il* (**riv** *rom us*r input) w*s r*pl**** wit* $*ullp*t*_ori*in*l_*il* **t*r s**urity ****ks. Pr*-p*t** v