CVE-2025-69634
Awaiting Analysis Awaiting Analysis - Queue
Cross-Site Request Forgery in Dolibarr perms.php Enables Privilege Escalation

Publication date: 2026-02-12

Last updated on: 2026-02-14

Assigner: MITRE

Description
Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur if an unprivileged user knows the token of an admin user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-14
Generated
2026-06-16
AI Q&A
2026-02-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-69634
EUVD
EUVD-2025-206973
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dolibarr dolibarr to 22.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-598 The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-69634 is a critical Cross Site Request Forgery (CSRF) vulnerability in Dolibarr ERP & CRM version 22.0.9 that allows a remote attacker to escalate privileges via the notes field in perms.php.

The vulnerability arises because administrator permission changes are executed through HTTP GET requests, the anti-CSRF token is exposed in the URL query string, and low-privileged users can perform HTML injection on notes or fields.

An attacker can inject malicious HTML content that, when viewed by an administrator who clicks a crafted link, results in immediate administrative privilege takeover.

Root causes include state-changing actions via GET requests, CSRF tokens in URLs, HTML injection in user-controlled fields, and lack of confirmation dialogs before modifying privileges.

Impact Analysis

This vulnerability can lead to a critical privilege escalation where an attacker gains administrative control over the Dolibarr ERP & CRM system.

The attacker can manipulate permissions and potentially take over administrative accounts, compromising confidentiality, integrity, and availability of the system.

The CVSS v3.1 score of 9.0 reflects the high severity and impact on access control, data integrity, and system availability.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for HTTP GET requests that change administrator permissions, especially those containing CSRF tokens in the URL query string.'}, {'type': 'paragraph', 'content': 'You can look for suspicious GET requests to perms.php with parameters related to permission changes and CSRF tokens exposed in the URL.'}, {'type': 'list_item', 'content': 'Use network traffic analysis tools (e.g., tcpdump, Wireshark) to capture HTTP GET requests targeting perms.php.'}, {'type': 'list_item', 'content': "Example command to capture HTTP GET requests to perms.php using tcpdump: tcpdump -i any -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'GET /perms.php'"}, {'type': 'list_item', 'content': 'Search web server logs for GET requests to perms.php containing CSRF tokens in the query string.'}, {'type': 'list_item', 'content': "Example grep command on Apache logs: grep 'GET /perms.php' /var/log/apache2/access.log | grep 'csrf_token='"}] [1]

Mitigation Strategies

Immediate mitigation steps include:

  • Convert all permission-changing actions from HTTP GET requests to POST requests to prevent state changes via URL.
  • Remove CSRF tokens from URL query strings and store them securely in POST request bodies.
  • Add confirmation dialogs before any administrative permission changes are applied.
  • Implement a strict Referrer-Policy header (strict-origin) to limit information leakage.
  • Apply additional validation and sanitization on HTML rendering contexts to prevent HTML injection.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69634. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart