CVE-2021-33816: Improper Control of Generation of Code ('Code Injection')

November 10, 2021 (updated November 17, 2022)

The website builder module in Dolibarr allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.

References

seclists.org/fulldisclosure/2021/Nov/39
nvd.nist.gov/vuln/detail/CVE-2021-33816
trovent.github.io/security-advisories/TRSA-2106-01/TRSA-2106-01.txt
trovent.io/security-advisory-2106-01

Code Behaviors & Features

Detect and mitigate CVE-2021-33816 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →