CVE-2019-15062 — Vulnetix

CVE-2019-15062 PUBLISHED

An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)

EPSS 0.09% · 25.7th percentile

Risk Scores

EPSS Score

0.09%

25.7th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:16.04:LTS	dolibarr	0, 3.5.5+dfsg1-2, 3.5.7+dfsg1-1

Exploit Intelligence

https://gauravnarwani.com/publications/CVE-2019-15062/ (nist-nvd)
https://github.com/Dolibarr/dolibarr/issues/11671 (nist-nvd)

Timeline

Aug 14, 2019 CVE Published
Aug 28, 2019 CVE Updated
Apr 14, 2021 EPSS Score
Jun 23, 2021 EPSS Score
Aug 24, 2021 EPSS Score
Oct 26, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Feb 28, 2022 EPSS Score
Apr 1, 2022 EPSS Score
May 1, 2022 EPSS Score
Jul 3, 2022 EPSS Score

References

https://ubuntu.com/security/CVE-2019-15062 third-party-advisory
https://github.com/Dolibarr/dolibarr/issues/11671 third-party-advisory
https://gauravnarwani.com/publications/CVE-2019-15062/ third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2019-15062 third-party-advisory

Open in Interactive Console →