8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-15062

GHSA ID

GHSA-4qq9-qg7j-fcm9

EPSS Score

0.33221%

CWE

CWE-352

Published

5/24/2022

Updated

5/4/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-15062

CVE-2019-15062: Dolibarr Cross-Site Request Forgery (CSRF)

An issue was discovered in Dolibarr. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)

(GitHub Advisory)

8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-15062

GHSA ID

GHSA-4qq9-qg7j-fcm9

EPSS Score

0.33221%

CWE

CWE-352

Published

5/24/2022

Updated

5/4/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
dolibarr/dolibarr	composer	>= 10.0, < 10.0.2	10.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability chain requires two key flaws: 1) Unsanitized input handling in link label updates (alpha filter allows some special characters), and 2) Unsafe output rendering of stored labels. The patch specifically addresses these by changing to 'alphanohtml' filtering and adding HTML escaping. These functions directly correspond to the attack vector described - storing malicious IFRAME via label input and executing it when viewed.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in *oli**rr. * us*r **n stor* *n I*R*M* *l*m*nt (*ont*inin* * us*r/**r*.p*p *SR* r*qu*st) in *is Link** *il*s s*ttin*s p***. W**n visit** *y t** **min, t*is *oul* *ompl*t*ly t*k* ov*r t** **min ***ount. (T** prot**tion m****ni

Reasoning

T** vuln*r**ility ***in r*quir*s two k*y *l*ws: *) Uns*nitiz** input **n*lin* in link l***l up**t*s (*lp** *ilt*r *llows som* sp**i*l ***r**t*rs), *n* *) Uns*** output r*n**rin* o* stor** l***ls. T** p*t** sp**i*i**lly ***r*ss*s t**s* *y ***n*in* to

8

Basic Information

Concerned about an active attack path?

CVE-2019-15062: Dolibarr Cross-Site Request Forgery (CSRF)

8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI