CVE-2019-1010054: Dolibarr Cross Site Request Forgery (CSRF)
8.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.72189%
CWE
Published
5/24/2022
Updated
5/4/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
dolibarr/dolibarr | composer | = 7.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability manifests in three critical administrative actions handled by card.php and security.php. All three endpoints: 1) password change (action=confirm_password), 2) user disable (action=confirm_delete), and 3) encryption disable (action=disable_encrypt) are executed via simple GET requests without CSRF token validation. The PoC demonstrates these actions can be triggered through malicious URLs when an authenticated admin visits them, confirming the absence of CSRF protections. The file paths and parameter patterns match the vulnerability description and exploit documentation.