CVE-2024-29477 — Dolibarr ERP CRM Code Injection vulnerability during installation

Description

Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the network to execute arbitrary code via a specifically crafted input.

How to fix CVE-2024-29477

To remediate CVE-2024-29477, upgrade the affected package to a fixed version below.

Bitnami/dolibarr—upgrade to 19.0.1 or later
—no fix listed

Is CVE-2024-29477 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 19.0.1
from 0, <= 19.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-29477
PATCHgithub.com/Dolibarr/dolibarr
WEBdolibarr.com
WEBgithub.com/alexbsec/CVEs/blob/master/2024/CVE-2024-29477.md