Headline
CVE-2021-37517: Fix Improper Authorization Check reported by Ahsan Aziz. · Dolibarr/dolibarr@b57eb82
An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application allows email addresses as usernames, which can cause a Denial of Service.
@@ -1280,6 +1280,10 @@ public function create($user, $notrigger = 0)
$langs->load(“errors”);
$this->error = $langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv(“Login”));
return -1;
} elseif (preg_match(‘/[,@<>"\’]/’, $this->login)) {
$langs->load(“errors”);
$this->error = $langs->trans(“ErrorBadCharIntoLoginName”);
return -1;
}
$this->datec = dol_now();
@@ -1669,6 +1673,10 @@ public function update($user, $notrigger = 0, $nosyncmember = 0, $nosyncmemberpa
$langs->load(“errors”);
$this->error = $langs->trans("ErrorFieldRequired", ‘Login’);
return -1;
} elseif (preg_match(‘/[,@<>"\’]/’, $this->login)) {
$langs->load(“errors”);
$this->error = $langs->trans(“ErrorBadCharIntoLoginName”);
return -1;
}
$this->db->begin();