CVE-2022-40871 : Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installat

Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.

Published 2022-10-12 12:15:10

Updated 2022-10-14 20:17:19

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-40871

Probability of exploitation activity in the next 30 days: 0.25%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 64 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-40871

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-40871

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-40871

https://github.com/youncyb/dolibarr-rce

GitHub - youncyb/dolibarr-rce: DOLIBARR ERP & CRM rce
Exploit;Third Party Advisory

Products affected by CVE-2022-40871

Dolibarr » Dolibarr Erp/crm
Versions up to, including, (<=) 15.0.3
cpe:2.3:a:dolibarr:dolibarr_erp\/crm:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2022-40871

Exploit prediction scoring system (EPSS) score for CVE-2022-40871

CVSS scores for CVE-2022-40871

CWE ids for CVE-2022-40871

References for CVE-2022-40871

Products affected by CVE-2022-40871