{"containers": {"cna": {"affected": [{"product": "dolibarr", "vendor": "Dolibarr", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "2.8.1", "versionType": "custom"}, {"lessThanOrEqual": "13.0.4", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Hagai Wechsler"}], "datePublic": "2021-08-06T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "In \u201cDolibarr\u201d application, 2.8.1 to 13.0.4 don\u2019t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at \u201c/adherents/note.php?id=1\u201d endpoint."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-09T16:58:31.000Z", "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25954"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Dolibarr/dolibarr/commit/8cc100012d46282799fb19f735a53b7101569377"}], "solutions": [{"lang": "en", "value": "Update to 14.0.0"}], "source": {"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", "discovery": "UNKNOWN"}, "title": "Improper Access Control in \u201cDolibarr\u201d", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", "DATE_PUBLIC": "2021-08-06T21:00:00.000Z", "ID": "CVE-2021-25954", "STATE": "PUBLIC", "TITLE": "Improper Access Control in \u201cDolibarr\u201d"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "dolibarr", "version": {"version_data": [{"version_affected": ">=", "version_value": "2.8.1"}, {"version_affected": "<=", "version_value": "13.0.4"}]}}]}, "vendor_name": "Dolibarr"}]}}, "credit": [{"lang": "eng", "value": "Hagai Wechsler"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In \u201cDolibarr\u201d application, 2.8.1 to 13.0.4 don\u2019t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at \u201c/adherents/note.php?id=1\u201d endpoint."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284 Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25954", "refsource": "MISC", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25954"}, {"name": "https://github.com/Dolibarr/dolibarr/commit/8cc100012d46282799fb19f735a53b7101569377", "refsource": "MISC", "url": "https://github.com/Dolibarr/dolibarr/commit/8cc100012d46282799fb19f735a53b7101569377"}]}, "solution": [{"lang": "en", "value": "Update to 14.0.0"}], "source": {"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:19:18.981Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25954"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Dolibarr/dolibarr/commit/8cc100012d46282799fb19f735a53b7101569377"}]}]}, "cveMetadata": {"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "assignerShortName": "Mend", "cveId": "CVE-2021-25954", "datePublished": "2021-08-09T16:58:31.962Z", "dateReserved": "2021-01-22T00:00:00.000Z", "dateUpdated": "2024-09-17T00:31:24.945Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dolibarr:dolibarr:*:*:*:*:*:*:*:*", "matchCriteriaId": "EEDBE20F-CD40-424A-9E8E-A8A941B5BFCB", "versionEndIncluding": "13.0.4", "versionStartIncluding": "2.8.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In \u201cDolibarr\u201d application, 2.8.1 to 13.0.4 don\u2019t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at \u201c/adherents/note.php?id=1\u201d endpoint."}, {"lang": "es", "value": "En la aplicaci\u00f3n Dolibarr, versiones 2.8.1 hasta 13.0.4, no se restringe o se restringe incorrectamente el acceso a un recurso de un actor no autorizado. Un atacante poco privilegiado puede modificar la Nota Privada que s\u00f3lo un administrador tiene derechos para hacer, el campo afectado se encuentra en el endpoint \"/adherents/note.php?id=1\""}], "id": "CVE-2021-25954", "lastModified": "2024-11-21T05:55:40.020", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "vulnerabilitylab@mend.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-09T17:15:07.307", "references": [{"source": "vulnerabilitylab@mend.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Dolibarr/dolibarr/commit/8cc100012d46282799fb19f735a53b7101569377"}, {"source": "vulnerabilitylab@mend.io", "tags": ["Third Party Advisory"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25954"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Dolibarr/dolibarr/commit/8cc100012d46282799fb19f735a53b7101569377"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25954"}], "sourceIdentifier": "vulnerabilitylab@mend.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "vulnerabilitylab@mend.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}