CVE-2024-5315 Overview
CVE-2024-5315 is a SQL Injection vulnerability affecting Dolibarr ERP/CRM version 9.0.1. This vulnerability allows a remote attacker to send a specially crafted SQL query to the system and retrieve all information stored in the database through the viewstatut parameter in /dolibarr/commande/list.php. Dolibarr is a widely-used open-source ERP and CRM platform designed for small and medium-sized businesses, making this vulnerability particularly concerning for organizations managing sensitive business data.
Critical Impact
Remote unauthenticated attackers can extract complete database contents including customer records, financial data, user credentials, and other sensitive business information stored in Dolibarr ERP/CRM systems.
Affected Products
- Dolibarr ERP/CRM version 9.0.1
Discovery Timeline
- 2024-05-24 - CVE-2024-5315 published to NVD
- 2025-04-10 - Last updated in NVD database
Technical Details for CVE-2024-5315
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) exists in the order list functionality of Dolibarr ERP/CRM. The viewstatut parameter in /dolibarr/commande/list.php fails to properly sanitize user-supplied input before incorporating it into SQL queries. This allows attackers to inject arbitrary SQL commands that are executed with the privileges of the database user configured for the Dolibarr application.
The vulnerability enables attackers to bypass application-level security controls entirely and interact directly with the underlying database. Successful exploitation can lead to unauthorized access to confidential business data, modification of critical records, and potential lateral movement within the target environment.
Root Cause
The root cause of this vulnerability is improper input validation and lack of parameterized queries in the handling of the viewstatut parameter. When processing requests to the /dolibarr/commande/list.php endpoint, user-supplied values are concatenated directly into SQL statements without adequate sanitization or the use of prepared statements. This classic SQL injection pattern allows attackers to break out of the intended query context and execute arbitrary database commands.
Attack Vector
The attack vector is network-based and does not require authentication. An attacker can craft malicious HTTP requests targeting the vulnerable endpoint with specially formatted SQL payloads in the viewstatut parameter. The attack requires no user interaction and can be executed remotely against any internet-accessible Dolibarr installation running the affected version.
A typical attack would involve sending GET or POST requests to /dolibarr/commande/list.php with SQL injection payloads embedded in the viewstatut parameter. Attackers may use techniques such as UNION-based injection to extract data, boolean-based blind injection to enumerate database contents, or time-based blind injection when direct output is not visible.
Detection Methods for CVE-2024-5315
Indicators of Compromise
- Unusual SQL error messages in web server logs or application logs originating from /dolibarr/commande/list.php
- HTTP requests to /dolibarr/commande/list.php containing SQL keywords like UNION, SELECT, OR 1=1, or encoded variants in the viewstatut parameter
- Database audit logs showing unauthorized queries or access to sensitive tables
- Unexpected data exports or bulk record access patterns in Dolibarr activity logs
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect and block SQL injection patterns in requests to Dolibarr endpoints
- Implement database query monitoring to identify anomalous SQL statements executed against the Dolibarr database
- Configure intrusion detection systems (IDS) to alert on suspicious HTTP traffic patterns targeting /dolibarr/commande/list.php
- Enable detailed logging on web servers and review logs for requests containing SQL metacharacters
Monitoring Recommendations
- Monitor web server access logs for requests to /dolibarr/commande/list.php with suspicious query strings
- Implement database activity monitoring to track queries executed by the Dolibarr application user
- Set up alerts for failed authentication attempts and unusual database access patterns
- Regularly audit Dolibarr user accounts and access logs for signs of compromise
How to Mitigate CVE-2024-5315
Immediate Actions Required
- Upgrade Dolibarr ERP/CRM to the latest stable version that addresses this vulnerability
- Restrict network access to Dolibarr installations to trusted IP ranges where possible
- Implement Web Application Firewall rules to filter SQL injection attempts targeting the vulnerable endpoint
- Review database logs for evidence of exploitation and reset credentials if compromise is suspected
Patch Information
Organizations should upgrade to a patched version of Dolibarr ERP/CRM. For detailed information about available patches and security updates, refer to the INCIBE Security Notice for official guidance on remediation steps.
Workarounds
- Deploy a reverse proxy or WAF in front of Dolibarr to filter malicious requests before they reach the application
- Temporarily restrict access to /dolibarr/commande/list.php if the order listing functionality is not business-critical
- Implement network segmentation to limit the blast radius if the Dolibarr server is compromised
- Apply principle of least privilege to the database user account used by Dolibarr to minimize potential impact of SQL injection attacks
# Example: Apache mod_rewrite rule to block suspicious requests
# Add to .htaccess or Apache configuration
RewriteEngine On
RewriteCond %{QUERY_STRING} (union|select|insert|delete|update|drop|script) [NC]
RewriteRule ^/dolibarr/commande/list\.php - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
