📄 Description (English)
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" field is passed to PHP's `eval()` function without adequate sanitization, allowing authenticated administrators to execute arbitrary PHP code on the server. As of time of publication, no patched versions are available.
🤖 AI Executive Summary
Dolibarr ERP/CRM versions 22.0.2 and earlier contain an authenticated remote code execution vulnerability in the user extrafields functionality where unsanitized input is passed directly to PHP's eval() function. This allows authenticated administrators to execute arbitrary PHP code on the server. With exploit code publicly available and no patched versions released at publication time, this poses an immediate threat to organizations using Dolibarr for critical business operations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 13, 2026 02:35
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using Dolibarr for ERP/CRM operations face significant risk, particularly in: Banking sector (SAMA-regulated institutions using Dolibarr for customer management and financial operations), Government agencies (municipalities and federal entities managing citizen services), Healthcare sector (hospitals and clinics managing patient records and billing), Energy sector (ARAMCO contractors and suppliers using Dolibarr for supply chain management), Telecommunications (STC and other telecom operators managing customer relationships), and SMEs across all sectors. The vulnerability is particularly critical as it requires only authenticated administrator access, which is common in organizations where multiple staff members have administrative privileges. Compromise could lead to complete server takeover, data exfiltration of sensitive business and customer information, financial fraud, and disruption of critical business processes.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare
Energy and Utilities
Telecommunications
Manufacturing and Supply Chain
Retail and E-commerce
Small and Medium Enterprises (SMEs)
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application
T1059.007 - Command and Scripting Interpreter: JavaScript/JScript
T1203 - Exploitation for Client Execution
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1098 - Account Manipulation
T1005 - Data from Local System
T1041 - Exfiltration Over C2 Channel
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all instances of Dolibarr ERP/CRM in your organization and document version numbers
2. Restrict administrative access to Dolibarr to only essential personnel with strong authentication (MFA if possible)
3. Review audit logs for any suspicious activity in the extrafields module, particularly any modifications to computed value fields
4. Implement network segmentation to isolate Dolibarr servers from critical systems
5. Enable detailed logging of all administrative actions within Dolibarr
PATCHING GUIDANCE:
1. Monitor the official Dolibarr GitHub repository and security advisories for patched versions (versions 23.0.0 or later when available)
2. Test patches in a non-production environment before deployment
3. Plan immediate deployment of patches upon availability
4. If running version 22.0.2 or earlier, prioritize upgrade planning
COMPENSATING CONTROLS (if patch unavailable):
1. Disable or restrict access to the extrafields functionality at the application level
2. Implement Web Application Firewall (WAF) rules to detect and block eval() function calls in POST requests to extrafields endpoints
3. Use PHP configuration to disable eval() function if not required for other applications (php.ini: disable_functions = eval)
4. Implement strict input validation and output encoding at the application level
5. Deploy intrusion detection signatures monitoring for suspicious PHP execution patterns
DETECTION RULES:
1. Monitor for POST requests to /admin/user_extrafields.php or similar endpoints with suspicious payloads
2. Alert on any PHP code patterns in the 'computed value' field (look for: system(), exec(), shell_exec(), passthru(), eval())
3. Monitor PHP error logs for unexpected code execution attempts
4. Track changes to extrafields configuration by administrators
5. Monitor for unusual process spawning from PHP processes running Dolibarr
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع نسخ Dolibarr ERP/CRM في مؤسستك وقم بتوثيق أرقام الإصدارات
2. قيد الوصول الإداري إلى Dolibarr للموظفين الأساسيين فقط مع المصادقة القوية (MFA إن أمكن)
3. راجع سجلات التدقيق للنشاط المريب في وحدة الحقول الإضافية، خاصة أي تعديلات على حقول القيمة المحسوبة
4. طبق تقسيم الشبكة لعزل خوادم Dolibarr عن الأنظمة الحرجة
5. فعّل التسجيل التفصيلي لجميع الإجراءات الإدارية داخل Dolibarr
إرشادات التصحيح:
1. راقب مستودع Dolibarr الرسمي على GitHub والتنبيهات الأمنية للإصدارات المصححة (الإصدار 23.0.0 أو أحدث عند توفره)
2. اختبر التصحيحات في بيئة غير إنتاجية قبل النشر
3. خطط للنشر الفوري للتصحيحات عند توفره
4. إذا كنت تقوم بتشغيل الإصدار 22.0.2 أو أقدم، فأولويتك هي تخطيط الترقية
الضوابط البديلة (إذا لم يكن التصحيح متاحاً):
1. عطّل أو قيد الوصول إلى وظيفة الحقول الإضافية على مستوى التطبيق
2. طبق قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن استدعاءات دالة eval() وحجبها في طلبات POST إلى نقاط نهاية الحقول الإضافية
3. استخدم تكوين PHP لتعطيل دالة eval() إذا لم تكن مطلوبة لتطبيقات أخرى (php.ini: disable_functions = eval)
4. طبق التحقق من صحة المدخلات الصارمة وترميز المخرجات على مستوى التطبيق
5. نشّر توقيعات كشف الاختراق لمراقبة أنماط تنفيذ PHP المريبة
قواعد الكشف:
1. راقب طلبات POST إلى /admin/user_extrafields.php أو نقاط نهاية مماثلة مع حمولات مريبة
2. أصدر تنبيهات على أي أنماط كود PHP في حقل 'القيمة المحسوبة' (ابحث عن: system()، exec()، shell_exec()، passthru()، eval())
3. راقب سجلات أخطاء PHP لمحاولات تنفيذ الكود غير المتوقعة
4. تتبع التغييرات على تكوين الحقول الإضافية من قبل المسؤولين
5. راقب توليد العمليات غير العادية من عمليات PHP التي تقوم بتشغيل Dolibarr
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.1.1 - Access Control and Authentication
5.2.1 - Segregation of Duties
5.3.1 - Change Management
6.1.1 - Vulnerability Management
6.2.1 - Security Patch Management
7.1.1 - Audit Logging and Monitoring
🔵 SAMA CSF
ID.AM-2 - Software Inventory
PR.AC-1 - Access Control
PR.PT-2 - Protective Technology
DE.CM-1 - Network Monitoring
DE.AE-1 - Anomaly Detection
RS.MI-1 - Incident Response
🟡 ISO 27001:2022
A.5.15 - Access Control
A.6.1.1 - Information Security Policies
A.8.1.1 - User Endpoint Devices
A.12.2.1 - Restrictions on Software Installation
A.12.6.1 - Management of Technical Vulnerabilities
A.14.2.1 - Secure Development Policy
🟣 PCI DSS v4.0.1
Requirement 1.1 - Firewall Configuration
Requirement 2.2.4 - Configure System Security Parameters
Requirement 6.2 - Ensure Security Patches Installed
Requirement 6.5.1 - Injection Flaws
Requirement 10.2.1 - Audit Logging
🔗 References & Sources 3
🔗
https://github.com/Dolibarr/dolibarr/blob/22.0.2/htdocs/core/lib/functions.lib.php
security-advisories@github.com
Patch
🔗
https://medium.com/@abduxalilovjavohir/dolibarr-erp-authenticated-remote-code-execution...
security-advisories@github.com
Exploit
Third Party Advisory
🔗
https://medium.com/@abduxalilovjavohir/dolibarr-erp-authenticated-remote-code-execution...
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Third Party Advisory
📦 Affected Products / CPE 1 entries
dolibarr:dolibarr_erp\/crm