Dolibarr ERP & CRM is vulnerable to a CSRF attack that can be used to escalate user privileges, potentially granting attackers administrative access to the entire business platform.

This CSRF vulnerability exists in the perms.php file. By tricking an authenticated administrator into visiting a malicious website, an attacker can silently execute actions on the administrator's behalf to modify permissions and escalate their own account's privileges.

With a CVSS score of 9.0, this is a critical threat to business operations. Privilege escalation in an ERP/CRM system allows attackers to access sensitive financial data, customer information, and corporate secrets, leading to severe financial and legal consequences.

Immediate Action: Update Dolibarr ERP & CRM to a version later than 22.0.9 that includes proper CSRF token validation for all sensitive actions.

Proactive Monitoring: Review user permission change logs for unexpected modifications and educate staff on the risks of clicking suspicious links while logged into administrative sessions.

Compensating Controls: Deploy a Web Application Firewall (WAF) with CSRF protection enabled and ensure that administrative sessions have short timeout durations.

Public Exploit Available: false

The ability to escalate privileges through CSRF is a major security flaw. It is critical to apply the vendor's security patches immediately and to enforce strict session management policies to protect the integrity of the ERP/CRM environment.