Dolibarr ERP/CRM < 17.0.1 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/dolibarr-erp/crm--17.0.1/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 30 May 2026 08:03:20 +0000Dolibarr ERP/CRM OS Command Injection (CVE-2023-30253) Exploit Publicly Availablehttps://feed.craftedsignal.io/briefs/2026-05-cve-2023-30253-dolibarr-rce/Sat, 30 May 2026 08:03:20 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2023-30253-dolibarr-rce/A public exploit is available for an OS Command Injection vulnerability in Dolibarr ERP/CRM versions prior to 17.0.1 (CVE-2023-30253), which allows authenticated users to inject PHP code via the Website/CMS module to obtain a reverse shell as the www-data user.A public exploit has been published for CVE-2023-30253, an OS Command Injection vulnerability affecting Dolibarr ERP/CRM versions prior to 17.0.1. Discovered by Swascan (now Hacktivesecurity) in May 2023, the vulnerability resides in the Website/CMS module, allowing authenticated users to inject PHP code and execute arbitrary commands. An attacker can leverage this vulnerability to gain a reverse shell as the www-data user. The availability of a working exploit significantly increases the risk to unpatched Dolibarr ERP/CRM instances. The exploit uses specifically crafted HTTP POST requests to create a website, create a page within that website, inject malicious PHP code into the page content, and then trigger the execution of the injected code.

Attack Chain

  1. Attacker authenticates to the Dolibarr ERP/CRM instance, obtaining session cookies and a CSRF token.
  2. Attacker crafts a POST request to /website/index.php?action=createsite to create a new website with parameters such as WEBSITE_REF and WEBSITE_TITLE.
  3. Attacker creates a page within the newly created website by sending a POST request to /website/index.php?website=misitio with parameters WEBSITE_TYPE_CONTAINER and WEBSITE_TITLE.
  4. The attacker injects malicious PHP code into the page content by sending a POST request to /website/index.php?website=misitio&pageid=1&action=editsource. The injected code contains a PHP reverse shell payload. The PAGE_CONTENT parameter contains the injected PHP code.
  5. The attacker triggers the execution of the injected PHP code by accessing the crafted URL: /public/website/index.php?website=misitio&pageref=misitio.
  6. The injected PHP code executes, creating a reverse shell connection back to the attacker’s designated lhost and lport (e.g., 10.10.14.5:4444).
  7. The attacker gains shell access with the privileges of the www-data user.

Impact

Successful exploitation of CVE-2023-30253 allows an attacker to execute arbitrary OS commands on the Dolibarr ERP/CRM server. This can lead to complete system compromise, including data theft, modification, and denial of service. Since ERP/CRM systems often contain sensitive business data, the impact can be significant. While the number of affected organizations is not specified, any Dolibarr ERP/CRM instance running a version prior to 17.0.1 is vulnerable.

Recommendation

  • Apply the patch by upgrading to Dolibarr version 17.0.1 or later to address CVE-2023-30253.
  • Monitor web server logs for POST requests to /website/index.php with suspicious PAGE_CONTENT parameters containing PHP code, as described in the Attack Chain.
  • Monitor network connections for outbound connections from the web server to unusual IPs and ports, which could indicate a reverse shell, using a network monitoring solution.
]]>highthreatcve-2023-30253os command injectionrceweb application