CVE-2023-30253 – This vulnerability allows authenticated users i... (How to Fix)

Q: How do I fix CVE-2023-30253?

1. Backup your Dolibarr database and files. 2. Download Dolibarr 17.0.1 or later from the official repository. 3. Replace existing installation files with the patched version. 4. Verify functionality and check for any custom modifications that need updating.

Q: What is the severity of CVE-2023-30253?

CVE-2023-30253 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated users in Dolibarr to execute arbitrary code on the server by injecting PHP code with uppercase <?PHP tags instead of standard lowercase <?php tags. It affects all Dolibarr installations before version 17.0.1 where users have write access to certain areas. The vulnerability enables remote code execution with the privileges of the web server process.

📋 TL;DR

This vulnerability allows authenticated users in Dolibarr to execute arbitrary code on the server by injecting PHP code with uppercase <?PHP tags instead of standard lowercase <?php tags. It affects all Dolibarr installations before version 17.0.1 where users have write access to certain areas. The vulnerability enables remote code execution with the privileges of the web server process.

💻 Affected Systems

Products:

Dolibarr ERP/CRM

Versions: All versions before 17.0.1

Operating Systems: All operating systems running Dolibarr

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access with write permissions to vulnerable components. The vulnerability exists in how Dolibarr processes PHP code injection with uppercase tags.

📦 What is this software?

Dolibarr Erp\/crm by Dolibarr

View all CVEs affecting Dolibarr Erp\/crm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal sensitive data, install backdoors, pivot to other systems, or deploy ransomware.

🟠

Likely Case

Unauthorized data access, modification of business data, installation of web shells for persistent access, or disruption of business operations.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, with restricted user permissions and network segmentation.

🌐 Internet-Facing: HIGH - Internet-facing Dolibarr instances are directly accessible to attackers who can attempt to exploit authenticated user accounts.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or compromised internal accounts, but have reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once an attacker has valid credentials. The vulnerability is publicly documented with technical details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 17.0.1 and later

Vendor Advisory: https://github.com/Dolibarr/dolibarr

Restart Required: No

Instructions:

1. Backup your Dolibarr database and files. 2. Download Dolibarr 17.0.1 or later from the official repository. 3. Replace existing installation files with the patched version. 4. Verify functionality and check for any custom modifications that need updating.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement custom input validation to reject or sanitize PHP code containing uppercase <?PHP tags

Implement in application code: if (preg_match('/<\?PHP/i', $input)) { reject or sanitize input }

Web Application Firewall Rule

all

Configure WAF to block requests containing uppercase PHP tags

Add WAF rule: Block if request contains "<?PHP" (case-insensitive)

🧯 If You Can't Patch

Implement strict access controls and least privilege principles for all Dolibarr user accounts
Deploy network segmentation to isolate Dolibarr servers and implement intrusion detection monitoring

🔍 How to Verify

Check if Vulnerable:

Check Dolibarr version in admin interface or by examining the main.inc.php file for version information

Check Version:

grep '^\$dolibarr_version' htdocs/includes/main.inc.php

Verify Fix Applied:

Verify version is 17.0.1 or later and test that uppercase PHP tags are properly filtered

📡 Detection & Monitoring

Log Indicators:

Web server logs showing POST/PUT requests with PHP code containing <?PHP tags
Dolibarr application logs showing unexpected file writes or code execution

Network Indicators:

Unusual outbound connections from Dolibarr server
HTTP requests with PHP code in parameters

SIEM Query:

source="web_logs" AND ("<?PHP" OR "%3C%3Fphp" OR "%3C%3FPHP")

📊 Metadata

CVE ID: CVE-2023-30253

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: May 29, 2023

Last Updated: January 14, 2025

🔗 References

https://github.com/Dolibarr/dolibarr Product
https://www.swascan.com/blog/ Vendor Advisory
https://www.swascan.com/security-advisory-dolibarr-17-0-0/ Exploit,Vendor Advisory
https://github.com/Dolibarr/dolibarr Product
https://www.swascan.com/blog/ Vendor Advisory
https://www.swascan.com/security-advisory-dolibarr-17-0-0/ Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30253, you might also want to check these: