vulnerability
Ubuntu: (CVE-2021-25956): dolibarr vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:S/C:P/I:P/A:P) | Aug 17, 2021 | Jun 26, 2025 | Mar 27, 2026 |
Severity
7
CVSS
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
Published
Aug 17, 2021
Added
Jun 26, 2025
Modified
Mar 27, 2026
Description
In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.
Solution
no-fix-ubuntu-package
References
- CVE-2021-25956
- https://attackerkb.com/topics/CVE-2021-25956
- CWE-284
- EUVD-EUVD-2021-2054
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2021-2054
- https://github.com/Dolibarr/dolibarr/commit/c4cba43bade736ab89e31013a6ccee59a6e077ee
- https://www.cve.org/CVERecord?id=CVE-2021-25956
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25956
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.