Platform
php
Component
dolibarr/dolibarr
Fixed in
9.0.2
9.0.2
CVE-2024-5314 describes a critical SQL Injection vulnerability affecting Dolibarr ERP - CRM versions up to 9.0.1. This flaw allows a remote attacker to inject malicious SQL queries, potentially leading to unauthorized data access and manipulation. The vulnerability resides in the handling of sortorder and sortfield parameters within the /dolibarr/admin/dict.php file. A patch is available in version 9.0.2.
Successful exploitation of CVE-2024-5314 could grant an attacker complete control over the Dolibarr database. This includes the ability to extract sensitive customer data (names, addresses, financial information), employee records, vendor details, and potentially even system configuration information. The attacker could also modify or delete data, leading to data corruption and operational disruption. Given the ERP nature of Dolibarr, the blast radius extends to all business processes reliant on the system. While no direct precedent for this specific vulnerability exists, SQL injection vulnerabilities are consistently among the most exploited, and the potential for data exfiltration and system compromise is significant.
CVE-2024-5314 was publicly disclosed on 2024-05-24. Its CRITICAL CVSS score (9.1) indicates a high probability of exploitation. No known public proof-of-concept (PoC) code has been released at the time of writing, but the ease of SQL injection exploitation suggests that one may emerge quickly. It is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting Dolibarr instances.
Exploit Status
EPSS
0.21% (43% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-5314 is to immediately upgrade Dolibarr ERP - CRM to version 9.0.2 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Input validation on the sortorder and sortfield parameters in /dolibarr/admin/dict.php can help prevent malicious input. Web Application Firewalls (WAFs) configured to detect and block SQL injection attempts targeting this specific endpoint can provide an additional layer of defense. Carefully review and restrict access to the /dolibarr/admin/dict.php file to authorized personnel only. After upgrading, confirm the vulnerability is resolved by attempting a SQL injection payload via the affected parameters and verifying that it is properly sanitized.
Update Dolibarr ERP CMS to a version later than 9.0.1 to fix the SQL Injection vulnerability. Refer to the official Dolibarr website for the latest version and upgrade instructions. Apply security updates as soon as they are available.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-5314 is a critical SQL Injection vulnerability in Dolibarr ERP - CRM versions up to 9.0.1, allowing attackers to inject malicious SQL queries and potentially access sensitive data.
You are affected if you are running Dolibarr ERP - CRM version 9.0.1 or earlier. Upgrade to version 9.0.2 or later to resolve the vulnerability.
The recommended fix is to upgrade Dolibarr ERP - CRM to version 9.0.2 or later. Temporary workarounds include input validation and WAF implementation.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of future exploitation.
Refer to the official Dolibarr security advisory for detailed information and updates: [https://www.dolibarr.org/](https://www.dolibarr.org/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.