On 10.05.2017 10:28, FOXMOLE Advisories wrote:
> === FOXMOLE - Security Advisory 2017-02-23 ===
> 
> Dolibarr ERP & CRM  - Multiple Issues
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Affected Versions
> =================
> Dolibarr 4.0.4
> 
> Issue Overview
> ==============
> Vulnerability Type: SQL Injection, Cross Site Scripting,
>                     Weak Hash Algorithm without Salt, Weak Password Change 
> Method
> Technical Risk: critical
> Likelihood of Exploitation: medium
> Vendor: Dolibarr
> Vendor URL: https://www.dolibarr.org/
> Credits: FOXMOLE employees Tim Herres and Stefan Pietsch
> Advisory URL: https://www.foxmole.com/advisories/foxmole-2017-02-23.txt
> Advisory Status: Public
> OVE-ID: OVE-20170223-0001
> CVE Number: CVE-2017-7886, CVE-2017-7887, CVE-2017-7888
> CVE URL: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7886
>          https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7887
>          https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7888
> CWE-ID: CWE-79, CWE-89, CWE-327, CWE-620, CWE-759
> CVSS 2.0: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

--- snip ---

Here is a small update to our security advisory.

An additional CVE ID got assigned for the password change finding:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8879


Meanwhile the Dolibarr developers fixed more possible SQL injection bugs
in this git commit:
https://github.com/Dolibarr/dolibarr/commit/fa290c34fad108ec7c0751c0372ae9c4b4f63b06

They still didn't release a fixed version of the Dolibarr software.



For CVE-2017-7886 I don't agree with the CVSS v2 scoring from the NIST.
They rated "Confidentiality Impact" as partial while I think it is
complete as we have full access to all tables.


Regards,
Stefan

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Reply via email to