CVE-2024-31503 is an access control vulnerability affecting Dolibarr ERP CRM versions 19.0.0 and earlier. The flaw arises from improper enforcement of access controls, allowing authenticated attackers with elevated privileges to steal session cookies and CSRF protection tokens from other users. The attack vector involves social engineering, where the attacker convinces a victim user to interact with a maliciously crafted web page. Successful exploitation results in the attacker hijacking the victim's session, effectively taking over their account. This can lead to unauthorized access to sensitive business data managed within the ERP/CRM system. The vulnerability is classified under CWE-284 (Improper Access Control) and has a CVSS 3.1 base score of 7.5, reflecting high severity. The vector metrics indicate network attack vector (AV:N), high attack complexity (AC:H), required privileges are high (PR:H), user interaction is required (UI:R), and the scope is changed (S:C), with high confidentiality and integrity impact and low availability impact. No public exploits have been reported yet, and no official patches are linked at this time, suggesting organizations should monitor for updates and consider interim mitigations.

The impact of CVE-2024-31503 is significant for organizations using Dolibarr ERP CRM, as it enables attackers to hijack user sessions and bypass CSRF protections, leading to full account takeover. This compromises confidentiality by exposing sensitive business and customer data, and integrity by allowing unauthorized actions within the ERP/CRM system. Although availability impact is low, the breach of trust and potential data manipulation can disrupt business operations and lead to financial loss, reputational damage, and regulatory compliance issues. Since the vulnerability requires authenticated attackers with high privileges and user interaction, insider threats or compromised accounts pose a particular risk. Organizations with multiple users and sensitive workflows in Dolibarr are especially vulnerable, increasing the risk of lateral movement and privilege escalation within their environments.

To mitigate CVE-2024-31503, organizations should first verify if they are running Dolibarr ERP CRM version 19.0.0 or earlier and plan immediate upgrades to patched versions once available. In the absence of official patches, implement strict access control policies limiting high-privilege accounts and monitor their activity closely. Employ network segmentation to isolate ERP/CRM systems and reduce exposure. Educate users about phishing and social engineering risks to minimize interaction with malicious web content. Enable multi-factor authentication (MFA) for all user accounts to reduce the impact of session hijacking. Review and harden session management configurations, such as setting secure, HttpOnly, and SameSite cookie attributes to mitigate cookie theft. Deploy web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting session tokens. Regularly audit logs for unusual access patterns and conduct penetration testing focused on session management and access controls. Maintain an incident response plan tailored to ERP/CRM compromises.