Miggo Logo
Miggo Vulnerability Database
CVE-2021-33816

CVE-2021-33816:
Dolibarr remote PHP code execution

9.8

CVSS Score

Basic Information

CVE ID
CVE-2021-33816
GHSA ID
GHSA-vxr9-p2xw-m8cf
EPSS Score
-
CWE
CWE-94
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
dolibarr/dolibarrcomposer= 13.0.214.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incomplete input validation in the website builder module. The advisory explicitly states that while dangerous functions like system/exec/shell_exec were blocked, PHP's backtick operator (which triggers shell command execution via the shell_exec() mechanism) was not sanitized. This allows attackers to inject code like uname -a via the PAGE_CONTENT parameter, which gets executed when the generated PHP page is rendered. The vulnerable code path resides in the website module's content processing logic, likely in the controller handling the 'updatesource' action.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** w**sit* *uil**r mo*ul* in *oli**rr **.*.* *llows r*mot* P*P *o** *x**ution ****us* o* *n in*ompl*t* prot**tion m****nism in w*i** syst*m, *x**, *n* s**ll_*x** *r* *lo*k** *ut ***kti*ks *r* not *lo*k**.

Reasoning

T** vuln*r**ility st*ms *rom in*ompl*t* input v*li**tion in t** w**sit* *uil**r mo*ul*. T** **visory *xpli*itly st*t*s t**t w*il* **n**rous *un*tions lik* syst*m/*x**/s**ll_*x** w*r* *lo*k**, P*P's ***kti*k op*r*tor (w*i** tri***rs s**ll *omm*n* *x**