Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2017-17898

CVE-2017-17898:
Dolibarr sensitive information disclosure

7.5

CVSS Score

Basic Information

CVE ID
CVE-2017-17898
GHSA ID
GHSA-jm38-vmgp-j7rx
EPSS Score
-
CWE
CWE-200
Published
5/14/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
dolibarr/dolibarrcomposer<= 6.0.46.0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from template files (*.tpl.php) lacking authorization checks. The GitHub patch adds 'protection' code blocks verifying $langs object existence before execution. Vulnerable versions (<=6.0.4) didn't contain these checks, allowing direct URL access to templates that should only be included in authenticated contexts. The files modified in the security commit (cashdesk templates, adherents/info.php parameter handling) represent the vulnerable endpoints where sensitive data could be exposed through direct requests.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*oli**rr *RP/*RM v*rsion *.*.* *o*s not *lo*k *ir**t r*qu*sts to *.tpl.p*p *il*s, w*i** *llows r*mot* *tt**k*rs to o*t*in s*nsitiv* in*orm*tion.

Reasoning

T** vuln*r**ility st*ms *rom t*mpl*t* *il*s (*.tpl.p*p) l**kin* *ut*oriz*tion ****ks. T** *it*u* p*t** ***s 'prot**tion' *o** *lo*ks v*ri*yin* $l*n*s o*j**t *xist*n** ***or* *x**ution. Vuln*r**l* v*rsions (<=*.*.*) *i*n't *ont*in t**s* ****ks, *llowi