Dolibarr ERP & CRM Website Module Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the Website module of Dolibarr ERP & CRM versions 22.0.4 and prior. The issue arises from inconsistent enforcement of PHP code detection and editing permissions, allowing authenticated users with limited HTML/JavaScript editing rights to inject PHP code through unprotected input fields while creating website pages.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, leading to a full compromise of the web application. It also could result in unauthorized access to sensitive data, and potential modification or deletion of data.

Reproduction

To reproduce this vulnerability, an authenticated user with 'read' or 'HTML/JavaScript edit' permissions can create a new webpage in the Website module. During the page creation process, the user can inject PHP code through unprotected input fields, bypassing the intended permission restrictions. Once the page is saved, the injected PHP code will be executed on the server.