CVE-2024-40137 is a remote code execution (RCE) vulnerability identified in Dolibarr ERP CRM versions before 19.0.2-php8.2. The vulnerability arises from improper handling of the Computed field parameter within the Users Module Setup function. This flaw allows an authenticated user with high privileges to inject and execute arbitrary code remotely, potentially compromising the integrity of the system. The vulnerability is categorized under CWE-74, which involves improper neutralization of special elements in output, leading to injection attacks. The CVSS v3.1 base score is 5.5, with vector AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N, indicating network attack vector, low attack complexity, required high privileges, no user interaction, unchanged scope, low confidentiality impact, high integrity impact, and no availability impact. No public exploits have been reported yet, but the vulnerability poses a significant risk due to the potential for code execution within critical ERP/CRM infrastructure. Dolibarr ERP CRM is widely used by small and medium enterprises for resource planning and customer relationship management, making this vulnerability impactful in business environments. The lack of an official patch link suggests that users should monitor vendor advisories closely and apply updates once available. The vulnerability's exploitation requires authenticated access with elevated privileges, which somewhat limits the attack surface but does not eliminate the risk, especially in environments with weak internal access controls or compromised credentials.

The primary impact of CVE-2024-40137 is the potential for remote code execution by an authenticated user with high privileges, which can lead to full system compromise, unauthorized data modification, and disruption of business processes. The integrity of critical business data managed by Dolibarr ERP CRM can be severely affected, potentially leading to financial loss, operational downtime, and reputational damage. Although confidentiality impact is rated low, the ability to execute arbitrary code can be leveraged to escalate privileges further or pivot within the network. The absence of availability impact means the system may continue to operate, masking the presence of an attacker. Organizations relying on Dolibarr for ERP and CRM functions, especially those with insufficient internal access controls or weak credential management, face increased risk. The medium CVSS score reflects the balance between the requirement for high privileges and the severity of the impact. The threat is particularly concerning for sectors where Dolibarr is integrated with sensitive business operations, such as finance, manufacturing, and public administration.

To mitigate CVE-2024-40137, organizations should promptly upgrade Dolibarr ERP CRM to version 19.0.2-php8.2 or later once the patch is officially released. Until a patch is available, restrict access to the Users Module Setup function to only the most trusted administrators and implement strict role-based access controls to minimize the number of users with high privileges. Conduct thorough audits of user accounts and credentials to ensure no unauthorized or weak credentials exist. Employ network segmentation to isolate ERP/CRM systems from less trusted network zones and monitor logs for unusual activity related to the Users Module. Implement multi-factor authentication (MFA) for all administrative access to reduce the risk of credential compromise. Additionally, apply web application firewalls (WAF) with custom rules to detect and block suspicious payloads targeting the Computed field parameter. Regularly back up critical ERP/CRM data and verify the integrity of backups to enable recovery in case of compromise. Finally, maintain up-to-date threat intelligence feeds and monitor vendor advisories for any emerging exploit information or patches.