Business Logic Errors in dolibarr/dolibarr


Reported on

Jan 9th 2022


The application does not check the input of price number lead to Business Logic error through negative price amount.

Proof of Concept

  1. Go to Product and Services area htdocs/product/index.php

  2. Create a new or edit an item, insert a negative amount into Selling price field.

Also in Billing and payment area and Donations area and maybe more


Business logic can have security flaws that allow a user to do something that isn't allowed by the business, in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality.

We are processing your report and will contact the dolibarr team within 24 hours. 2 years ago
We have contacted a member of the dolibarr team and are waiting to hear back 2 years ago
2 years ago


Except for donation, being able to enter a negative amount is the expected feature.

Laurent Destailleur validated this vulnerability 2 years ago
laladee has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur marked this as fixed in develop with commit d89216 2 years ago
Laurent Destailleur has been awarded the fix bounty
This vulnerability will not receive a CVE
card.php#L148-L198 has been validated
card.php#L202-L259 has been validated
card.php#L182-L217 has been validated
card.php#L220-L248 has been validated
card.php#L341-L362 has been validated
card.php#L206-L317 has been validated
card.php#L509-L673 has been validated
card.php#L277-L506 has been validated
to join this conversation