module
Dolibarr ERP/CRM Authenticated Code Injection
| Disclosed | Created |
|---|---|
| May 29, 2023 | May 14, 2026 |
Disclosed
May 29, 2023
Created
May 14, 2026
Description
Dolibarr ERP/CRM before 17.0.1 allows remote code execution by an
authenticated user who has access to the Website module. The
application filters lowercase ` injection in website page content, but this check can be bypassed
by using an uppercase variant such as ` allows injecting arbitrary PHP code that is executed when the
website page is rendered. Versions prior to 17.0.1 are known to
be vulnerable. The vulnerability was fixed in version 17.0.1.
authenticated user who has access to the Website module. The
application filters lowercase ` injection in website page content, but this check can be bypassed
by using an uppercase variant such as ` allows injecting arbitrary PHP code that is executed when the
website page is rendered. Versions prior to 17.0.1 are known to
be vulnerable. The vulnerability was fixed in version 17.0.1.
Authors
Tinexta Cyber Offensive Security Team
Emanuele Cervelli
Emanuele Cervelli
Platform
PHP
Architectures
php
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.