CVE-2023-4197— Dolibarr ERP CRM (<= 18.0.1) Improper Input Sanitization Authenticated RCE
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-4197
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Dolibarr ERP CRM (<= 18.0.1) Improper Input Sanitization Authenticated RCE
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Dolibarr ERP/CRM 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Dolibarr ERP/CRM是法国Dolibarr基金会的一套基于Web的企业资源计划(ERP)和客户关系管理(CRM)系统。该系统可用来管理产品、库存、发票、订单等。 Dolibarr ERP/CRM v18.0.1及之前版本存在安全漏洞,该漏洞源于存在输入验证错误问题,导致攻击者能够注入任意PHP代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Dolibarr | Dolibarr ERP CRM | 0 ~ 18.0.1 | - |
II. Public POCs for CVE-2023-4197
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | this is a simple script from CVE-2023-4197 that was little bit modified since because it didn't work at first time with broadlight machine from HTB which means that we have to modify the script a little bit and then use it as how the ducumentation says | https://github.com/alien-keric/CVE-2023-4197 | POC Details |
| 2 | this is a simple script from CVE-2023-4197 that was little bit modified since because it didn't work at first time with broadlight machine from HTB which means that we have to modify the script a little bit and then use it as how the ducumentation says | https://github.com/alienkeric/CVE-2023-4197 | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-4197
请登录查看更多情报信息。
- https://starlabs.sg/advisories/23/23-4197third-party-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2023-4197
IV. Related Vulnerabilities
Same vendor: Dolibarr
- CVE-2025-67486
Dolibarr has an Authenticated Remote Code Execution via eval - CVE-2026-7689
Dolibarr ERP CRM Online Signature security.lib.php dol_verif - CVE-2026-7688
Dolibarr ERP CRM Shipments API Endpoint expedition.class.php - CVE-2026-23500
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF con - CVE-2019-25710
Dolibarr ERP-CRM 8.0.4 SQL Injection via rowid Parameter
Same weakness: CWE-20
V. Comments for CVE-2023-4197
Anonymous User
2026-01-15 06:09:14Zaproxy alias impedit expedita quisquam pariatur exercitationem. Nemo rerum eveniet dolores rem quia dignissimos.