Produit : Dolibarr
Type : Security Advisory
Criticité : medium
CVE : CVE-2026-34036
Date source : 25/03/2026 13:49
Résumé :
# Authenticated Local File Inclusion (LFI) via selectobject.php leading to sensitive data disclosure
## Target
Dolibarr Core (Tested on version 22.0.4)
## Summary
I have discovered a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint `/core/ajax/selectobject.php`. By manipulating the `objectdesc` parameter and exploiting a fail-open logic flaw in the core access control function `restrictedArea()`, an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as `.env`, `.htaccess`, configuration backups, or logs…).
## Vulnerability Details
The vulnerability is caused by a critical design flaw in `/core/ajax/selectobject.php` where dynamic file inclusion occurs **before** any access control checks are performed, combined with a fail-open logic in the core ACL function.
– **Arbitrary File Inclusi
Action recommandée :
Vérifier la version installée et appliquer le correctif si le produit est concerné.
Source : Voir l’annonce officielle
Laisser un commentaire