{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dolibarr/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-23500"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","dolibarr"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDolibarr, a popular open-source ERP and CRM system, is susceptible to OS Command Injection (RCE) in versions up to 22.0.4. This vulnerability, identified as CVE-2026-23500, stems from insufficient validation of the \u003ccode\u003eMAIN_ODT_AS_PDF\u003c/code\u003e configuration setting. An attacker with administrative privileges can inject malicious commands into this setting, which are then executed by the server during ODT to PDF conversion processes. The vulnerability resides in \u003ccode\u003ehtdocs/includes/odtphp/odf.php\u003c/code\u003e, where the application constructs a shell command using the unfiltered \u003ccode\u003eMAIN_ODT_AS_PDF\u003c/code\u003e value. Successful exploitation enables arbitrary command execution on the server, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains administrative access to the Dolibarr instance, either through credential compromise or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026ldquo;Home -\u0026gt; Setup -\u0026gt; Other Setup\u0026rdquo; section of the Dolibarr administration panel.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eMAIN_ODT_AS_PDF\u003c/code\u003e configuration constant. The injected payload includes a command separator (\u003ccode\u003e;\u003c/code\u003e) followed by the malicious command. The example uses \u003ccode\u003ejodconverter; echo \u0026lt;base64_encoded_command\u0026gt; | base64 -d | bash\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026ldquo;Commerce -\u0026gt; New proposal\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new proposal in draft status and selects an ODT template.\u003c/li\u003e\n\u003cli\u003eThe attacker clicks the \u0026ldquo;Generate\u0026rdquo; button, triggering the ODT to PDF conversion process.\u003c/li\u003e\n\u003cli\u003eThe application executes the crafted shell command, resulting in command execution.\u003c/li\u003e\n\u003cli\u003eIn the proof of concept, the attacker establishes a reverse shell connection to their specified IP address (172.26.0.1) and port (4445), gaining interactive shell access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker with administrator privileges to execute arbitrary commands on the underlying server as the web server user. This can lead to the compromise of sensitive data, modification of application files, and potentially full system compromise. The observed impact includes the establishment of a reverse shell, granting the attacker complete control over the Dolibarr instance. This vulnerability affects Dolibarr installations up to version 22.0.4.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Dolibarr to a patched version beyond 22.0.4 to remediate CVE-2026-23500.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for commands executed with suspicious arguments in \u003ccode\u003eMAIN_ODT_AS_PDF\u003c/code\u003e by deploying the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to unusual external IP addresses originating from the web server, especially following events related to document generation. Block the C2 IP address \u003ccode\u003e172.26.0.1\u003c/code\u003e listed in the IOC table at the network perimeter.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and regularly audit administrator accounts to prevent unauthorized access to the Dolibarr configuration settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-dolibarr-rce/","summary":"Dolibarr versions 22.0.4 and earlier are vulnerable to OS Command Injection via the MAIN_ODT_AS_PDF configuration, allowing an authenticated administrator to inject a malicious payload, leading to arbitrary operating system command execution.","title":"Dolibarr OS Command Injection via MAIN_ODT_AS_PDF Configuration","url":"https://feed.craftedsignal.io/briefs/2026-04-dolibarr-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2019-25710"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2019-25710","dolibarr","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDolibarr ERP-CRM is a popular open-source enterprise resource planning and customer relationship management software. Version 8.0.4 of Dolibarr is susceptible to a critical SQL injection vulnerability (CVE-2019-25710) affecting the \u003ccode\u003erowid\u003c/code\u003e parameter in the \u003ccode\u003eadmin dict.php\u003c/code\u003e endpoint. This flaw allows unauthenticated attackers to inject malicious SQL code through the \u003ccode\u003erowid\u003c/code\u003e POST parameter. Successful exploitation enables attackers to execute arbitrary SQL queries against the Dolibarr database, potentially leading to the exposure of sensitive information, modification of data, or complete compromise of the application. This vulnerability can be exploited using error-based SQL injection techniques.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Dolibarr ERP-CRM instance running version 8.0.4.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003eadmin/dict.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003erowid\u003c/code\u003e parameter containing a SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe server-side application processes the request and executes the injected SQL code within the database query.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages error-based SQL injection techniques to extract sensitive information from the database, such as user credentials, API keys, or financial data.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the error messages returned by the application to refine the SQL injection payload and bypass any security measures.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially uses the extracted credentials to gain unauthorized access to other parts of the application or the underlying system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to severe consequences, including unauthorized access to sensitive data, data breaches, and complete compromise of the Dolibarr ERP-CRM system. The vulnerability allows attackers to extract sensitive database information, modify data, or potentially execute arbitrary code on the server. Given that ERP and CRM systems often contain critical business data, the impact can be significant for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patches or upgrade to a secure version of Dolibarr ERP-CRM to remediate CVE-2019-25710.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Dolibarr rowid Parameter SQL Injection Attempt\u003c/code\u003e to your SIEM to identify potential exploitation attempts against the \u003ccode\u003eadmin/dict.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to \u003ccode\u003eadmin/dict.php\u003c/code\u003e with suspicious characters or SQL keywords in the \u003ccode\u003erowid\u003c/code\u003e parameter to detect potential attacks.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to filter out malicious SQL injection payloads targeting the \u003ccode\u003erowid\u003c/code\u003e parameter in \u003ccode\u003eadmin/dict.php\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T13:16:34Z","date_published":"2026-04-12T13:16:34Z","id":"/briefs/2026-04-dolibarr-sqli/","summary":"Dolibarr ERP-CRM 8.0.4 is vulnerable to SQL injection via the rowid parameter in the admin dict.php endpoint, allowing attackers to execute arbitrary SQL queries and extract sensitive database information.","title":"Dolibarr ERP-CRM 8.0.4 SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-dolibarr-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Dolibarr","version":"https://jsonfeed.org/version/1.1"}