Skip to main content

Incorrect Default Permissions

CVE-2020-13240

Severity Medium
Score 5.4/10

Summary

The DMS/ECM module in Dolibarr before 11.0.5 and 12.0.0, allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.

  • LOW
  • NETWORK
  • LOW
  • UNCHANGED
  • NONE
  • LOW
  • LOW
  • NONE

CWE-276 - Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References

Advisory Timeline

  • Published