Description
In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at “/adherents/note.php?id=1” endpoint.
Remediation
References
Related Vulnerabilities
WordPress Plugin Contact Form by BestWebSoft Cross-Site Scripting (3.51)
WordPress Plugin WP Post Rating Security Bypass (2.4.6)
Drupal Core 8.x Multiple Vulnerabilities (8.0.0 - 8.2.2)
WordPress Plugin Email Before Download SQL Injection (3.6)
Drupal Core 9.0.x Cross-Site Request Forgery (9.0.0 - 9.0.14)