Impact
Dolibarr ERP CRM 7.0.3 contains a flaw that allows an attacker to execute arbitrary PHP code by injecting PHP into the db_name parameter of the install/step1.php script. When a crafted POST request is sent, the payload is evaluated, and the attacker can then use the check.php endpoint with a cmd parameter to run arbitrary system commands. This remote code execution compromises confidentiality, integrity, and availability of the affected server.
Affected Systems
The vulnerability targets the Dolibarr ERP CRM product, specifically version 7.0.3. No other Dolibarr releases or product lines have been confirmed to contain this flaw according to available data.
Risk and Exploitability
The CVSS score is 9.3, indicating critical severity, and the EPSS score of 2% suggests a modest probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, but absence of a KEV listing does not lower the risk. Attackers can exploit the flaw without authentication by sending a crafted POST request to install/step1.php, and subsequently execute commands via check.php.
OpenCVE Enrichment
Github GHSA