Dolibarr ERP/CRM versions <= 3.1.1 and <= 3.2.0 contain a post-authenticated OS command injection vulnerability in its database backup feature. The export.php script fails to sanitize the sql_compat parameter, allowing authenticated users to inject arbitrary system commands, resulting in remote code execution on the server.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Dolibarr
Dolibarr dolibarr
Dolibarr dolibarr Erp/crm
Vendors & Products Dolibarr
Dolibarr dolibarr
Dolibarr dolibarr Erp/crm

Thu, 14 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 13 Aug 2025 20:45:00 +0000

Type Values Removed Values Added
Description Dolibarr ERP/CRM versions <= 3.1.1 and <= 3.2.0 contain a post-authenticated OS command injection vulnerability in its database backup feature. The export.php script fails to sanitize the sql_compat parameter, allowing authenticated users to inject arbitrary system commands, resulting in remote code execution on the server.
Title Dolibarr ERP/CRM Post-Auth OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2025-08-14T14:21:38.227Z

Reserved: 2025-08-11T19:34:12.437Z

Link: CVE-2012-10059

cve-icon Vulnrichment

Updated: 2025-08-14T14:21:28.893Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-13T21:15:30.453

Modified: 2025-08-14T15:15:31.170

Link: CVE-2012-10059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-16T21:41:22Z