Miggo Logo
Miggo Vulnerability Database
CVE-2018-16809

CVE-2018-16809: Dolibarr SQL injection via the integer parameters qty and value_unit

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-16809
GHSA ID
GHSA-h34q-878w-w96r
EPSS Score
0.71258%
CWE
CWE-89
Published
5/14/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
dolibarr/dolibarrcomposer>= 3.8, <= 7.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Dolibarr's use of regex-based blacklist filtering in these functions rather than prepared statements or proper type casting. The advisory explicitly states these functions were intended to protect against SQLi but were bypassed due to: 1) Insufficient regex patterns that could be evaded via parameter splitting 2) Failure to properly handle integer parameters 3) Lack of context-aware escaping. These functions directly process the qty/value_unit parameters used in the vulnerable UPDATE query in expensereport/card.php.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in *oli**rr t*rou** *.*.*. *xp*ns*r*port/**r*.p*p in t** *xp*ns* r*ports mo*ul* *llows SQL inj**tion vi* t** int***r p*r*m*t*rs qty *n* v*lu*_unit.

Reasoning

T** vuln*r**ility st*ms *rom *oli**rr's us* o* r***x-**s** *l**klist *ilt*rin* in t**s* *un*tions r*t**r t**n pr*p*r** st*t*m*nts or prop*r typ* **stin*. T** **visory *xpli*itly st*t*s t**s* *un*tions w*r* int*n*** to prot**t ***inst SQLi *ut w*r* *y