lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 May 2017 22:08:25 +0200
From: Stefan Pietsch <>
To: <>
Subject: Re: [FD] [oss-security] Dolibarr ERP & CRM - Multiple Issues

On 10.05.2017 10:28, FOXMOLE Advisories wrote:
> === FOXMOLE - Security Advisory 2017-02-23 ===
> Dolibarr ERP & CRM  - Multiple Issues
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Affected Versions
> =================
> Dolibarr 4.0.4
> Issue Overview
> ==============
> Vulnerability Type: SQL Injection, Cross Site Scripting,
>                     Weak Hash Algorithm without Salt, Weak Password Change Method
> Technical Risk: critical
> Likelihood of Exploitation: medium
> Vendor: Dolibarr
> Vendor URL:
> Credits: FOXMOLE employees Tim Herres and Stefan Pietsch
> Advisory URL:
> Advisory Status: Public
> OVE-ID: OVE-20170223-0001
> CVE Number: CVE-2017-7886, CVE-2017-7887, CVE-2017-7888
> CWE-ID: CWE-79, CWE-89, CWE-327, CWE-620, CWE-759
> CVSS 2.0: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

--- snip ---

Here is a small update to our security advisory.

An additional CVE ID got assigned for the password change finding:

Meanwhile the Dolibarr developers fixed more possible SQL injection bugs
in this git commit:

They still didn't release a fixed version of the Dolibarr software.

For CVE-2017-7886 I don't agree with the CVSS v2 scoring from the NIST.
They rated "Confidentiality Impact" as partial while I think it is
complete as we have full access to all tables.


Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists