8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2020-14209

GHSA ID

GHSA-2gcp-xwxg-hqg3

EPSS Score

0.92534%

CWE

CWE-434

Published

5/24/2022

Updated

4/24/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-14209

CVE-2020-14209: Dolibarr Unrestricted Upload of File with Dangerous Type

Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism).

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2020-14209

CVE-2020-14209:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2020-14209

GHSA ID

GHSA-2gcp-xwxg-hqg3

EPSS Score

0.92534%

CWE

CWE-434

Published

5/24/2022

Updated

4/24/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
dolibarr/dolibarr	composer	< 11.0.5	11.0.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient file type validation during uploads. The Wizlynx technical analysis explicitly references the isAFileWithExecutableContent function in functions.lib.php as the validation mechanism, showing its regex pattern (visible in their screenshot) didn't account for .pht/.phar extensions. This function's failure to properly identify these dangerous types allowed low-privilege users to upload executable files. The function's central role in file validation and direct mention in the PoC documentation gives high confidence in this assessment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2020-14209: Dolibarr Unrestricted Upload of File with Dangerous Type

CVE-2020-14209:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

CVE-2020-14209: Dolibarr Unrestricted Upload of File with Dangerous Type

8.8

8.8

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI