CVE-2025-69634
Cross-Site Request Forgery in Dolibarr perms.php Enables Privilege Escalation
Publication date: 2026-02-12
Last updated on: 2026-02-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dolibarr | dolibarr | to 22.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-598 | The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-69634 is a critical Cross Site Request Forgery (CSRF) vulnerability in Dolibarr ERP & CRM version 22.0.9 that allows a remote attacker to escalate privileges via the notes field in perms.php.
The vulnerability arises because administrator permission changes are executed through HTTP GET requests, the anti-CSRF token is exposed in the URL query string, and low-privileged users can perform HTML injection on notes or fields.
An attacker can inject malicious HTML content that, when viewed by an administrator who clicks a crafted link, results in immediate administrative privilege takeover.
Root causes include state-changing actions via GET requests, CSRF tokens in URLs, HTML injection in user-controlled fields, and lack of confirmation dialogs before modifying privileges.
How can this vulnerability impact me? :
This vulnerability can lead to a critical privilege escalation where an attacker gains administrative control over the Dolibarr ERP & CRM system.
The attacker can manipulate permissions and potentially take over administrative accounts, compromising confidentiality, integrity, and availability of the system.
The CVSS v3.1 score of 9.0 reflects the high severity and impact on access control, data integrity, and system availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for HTTP GET requests that change administrator permissions, especially those containing CSRF tokens in the URL query string.'}, {'type': 'paragraph', 'content': 'You can look for suspicious GET requests to perms.php with parameters related to permission changes and CSRF tokens exposed in the URL.'}, {'type': 'list_item', 'content': 'Use network traffic analysis tools (e.g., tcpdump, Wireshark) to capture HTTP GET requests targeting perms.php.'}, {'type': 'list_item', 'content': "Example command to capture HTTP GET requests to perms.php using tcpdump: tcpdump -i any -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'GET /perms.php'"}, {'type': 'list_item', 'content': 'Search web server logs for GET requests to perms.php containing CSRF tokens in the query string.'}, {'type': 'list_item', 'content': "Example grep command on Apache logs: grep 'GET /perms.php' /var/log/apache2/access.log | grep 'csrf_token='"}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Convert all permission-changing actions from HTTP GET requests to POST requests to prevent state changes via URL.
- Remove CSRF tokens from URL query strings and store them securely in POST request bodies.
- Add confirmation dialogs before any administrative permission changes are applied.
- Implement a strict Referrer-Policy header (strict-origin) to limit information leakage.
- Apply additional validation and sanitization on HTML rendering contexts to prevent HTML injection.