CVE-2023-4197 — Dolibarr Improper Input Validation vulnerability

Description

Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

How to fix CVE-2023-4197

To remediate CVE-2023-4197, upgrade the affected package to a fixed version below.

Bitnami/dolibarr—no fix listed
—upgrade to 18.0.2 or later

Is CVE-2023-4197 being exploited?

Likely — EPSS is 53.3%, placing CVE-2023-4197 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

from 0, <= 18.0.1
from 0, < 18.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-4197
PATCHgithub.com/Dolibarr/dolibarr
WEBgithub.com/Dolibarr/dolibarr/commit/0ed6a63fb06be88be5a4f8bcdee83185eee4087e
WEBstarlabs.sg/advisories/23/23-4197