CVE-2025-67486— Dolibarr has an Authenticated Remote Code Execution via eval() injection in user extrafields

Dolibarr has an Authenticated Remote Code Execution via eval() injection in user extrafields

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" field is passed to PHP's `eval()` function without adequate sanitization, allowing authenticated administrators to execute arbitrary PHP code on the server. As of time of publication, no patched versions are available.

N/A

输出中的特殊元素转义处理不恰当(注入)

Dolibarr 注入漏洞

Dolibarr是Dolibarr开源的一个应用软件。可帮助管理用户组织的活动。 Dolibarr 22.0.2及之前版本存在注入漏洞，该漏洞源于用户额外字段功能中的认证远程代码执行问题，用户控制的computed value字段输入未经充分清理直接传递给PHP的eval函数，可能导致认证管理员在服务器上执行任意PHP代码。

N/A

N/A