In Dolibarr ERP & CRM versions up to 22.0.4, the Website module fails to consistently enforce PHP code detection and editing permissions across all input parameters. As a result, an authenticated user restricted to HTML/JavaScript editing can bypass these restrictions and inject PHP code through certain unprotected inputs during website page creation. This vulnerability arises from inconsistent permission checks rather than a flaw in authentication itself. No CVSS score or official remediation information is provided.

An authenticated user with limited editing permissions can escalate their capabilities to inject PHP code, potentially leading to unauthorized code execution within the application context. This could compromise the integrity and security of the affected Dolibarr instance. However, exploitation requires authentication and the ability to create or edit website pages.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict website page creation and editing permissions to trusted users only and monitor for suspicious activity related to website content management. Avoid granting HTML/JavaScript editing permissions broadly.