{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3adolibarrdolibarr_erp%5C/crm/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:dolibarr:dolibarr_erp\\/crm:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":8.8,"id":"CVE-2023-30253"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Dolibarr ERP/CRM \u003c 17.0.1"],"_cs_severities":["high"],"_cs_tags":["cve-2023-30253","os command injection","rce","web application"],"_cs_type":"threat","_cs_vendors":["Dolibarr"],"content_html":"\u003cp\u003eA public exploit has been published for CVE-2023-30253, an OS Command Injection vulnerability affecting Dolibarr ERP/CRM versions prior to 17.0.1. Discovered by Swascan (now Hacktivesecurity) in May 2023, the vulnerability resides in the Website/CMS module, allowing authenticated users to inject PHP code and execute arbitrary commands. An attacker can leverage this vulnerability to gain a reverse shell as the \u003ccode\u003ewww-data\u003c/code\u003e user. The availability of a working exploit significantly increases the risk to unpatched Dolibarr ERP/CRM instances. The exploit uses specifically crafted HTTP POST requests to create a website, create a page within that website, inject malicious PHP code into the page content, and then trigger the execution of the injected code.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Dolibarr ERP/CRM instance, obtaining session cookies and a CSRF token.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a POST request to \u003ccode\u003e/website/index.php?action=createsite\u003c/code\u003e to create a new website with parameters such as \u003ccode\u003eWEBSITE_REF\u003c/code\u003e and \u003ccode\u003eWEBSITE_TITLE\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker creates a page within the newly created website by sending a POST request to \u003ccode\u003e/website/index.php?website=misitio\u003c/code\u003e with parameters \u003ccode\u003eWEBSITE_TYPE_CONTAINER\u003c/code\u003e and \u003ccode\u003eWEBSITE_TITLE\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious PHP code into the page content by sending a POST request to \u003ccode\u003e/website/index.php?website=misitio\u0026amp;pageid=1\u0026amp;action=editsource\u003c/code\u003e. The injected code contains a PHP reverse shell payload. The \u003ccode\u003ePAGE_CONTENT\u003c/code\u003e parameter contains the injected PHP code.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the injected PHP code by accessing the crafted URL: \u003ccode\u003e/public/website/index.php?website=misitio\u0026amp;pageref=misitio\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected PHP code executes, creating a reverse shell connection back to the attacker\u0026rsquo;s designated \u003ccode\u003elhost\u003c/code\u003e and \u003ccode\u003elport\u003c/code\u003e (e.g., 10.10.14.5:4444).\u003c/li\u003e\n\u003cli\u003eThe attacker gains shell access with the privileges of the \u003ccode\u003ewww-data\u003c/code\u003e user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-30253 allows an attacker to execute arbitrary OS commands on the Dolibarr ERP/CRM server. This can lead to complete system compromise, including data theft, modification, and denial of service. Since ERP/CRM systems often contain sensitive business data, the impact can be significant. While the number of affected organizations is not specified, any Dolibarr ERP/CRM instance running a version prior to 17.0.1 is vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch by upgrading to Dolibarr version 17.0.1 or later to address CVE-2023-30253.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/website/index.php\u003c/code\u003e with suspicious \u003ccode\u003ePAGE_CONTENT\u003c/code\u003e parameters containing PHP code, as described in the Attack Chain.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for outbound connections from the web server to unusual IPs and ports, which could indicate a reverse shell, using a network monitoring solution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-30T08:03:20Z","date_published":"2026-05-30T08:03:20Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2023-30253-dolibarr-rce/","summary":"A public exploit is available for an OS Command Injection vulnerability in Dolibarr ERP/CRM versions prior to 17.0.1 (CVE-2023-30253), which allows authenticated users to inject PHP code via the Website/CMS module to obtain a reverse shell as the www-data user.","title":"Dolibarr ERP/CRM OS Command Injection (CVE-2023-30253) Exploit Publicly Available","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2023-30253-dolibarr-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:a:dolibarr:dolibarr_erp\\/Crm:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}