CVE-2023-33568: 
PHP vulnerability analysis and mitigation

CVE-2023-33568 affects Dolibarr version 16 before 16.0.5, allowing unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists. The vulnerability was discovered in March 2023 and was patched in version 16.0.5 (Dolibarr Forum, DSecBypass).

The vulnerability exists in the htdocs/public/ticket/ajax/ajax.php file, where an unauthenticated attacker can exploit the SQL LIKE operator using the '%' character to transform queries and retrieve all contact records. The vulnerability has a CVSS v3.1 Base Score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity with network accessibility and no authentication required (DSecBypass).

The vulnerability allows attackers to access sensitive business information including customer files, prospect details, supplier information, and employee data if contact files exist. Both public and private notes can be retrieved, potentially exposing confidential business information. The ease of exploitation and the nature of exposed data makes this a critical security issue (DSecBypass).

Users should upgrade to Dolibarr version 16.0.5 or later which contains the fix for this vulnerability. For version 17, the vulnerable feature is disabled by default. Additional security recommendations include limiting Internet exposure, using VPN access, implementing proper access controls, and keeping software components updated (Dolibarr Forum, DSecBypass).

The vulnerability was initially reported to Dolibarr developers on February 21, 2023, with a quick response from developer Eldy validating the issue. The fix was implemented in version 16.0.5, and the feature was disabled by default in version 17 released on March 5, 2023 (DSecBypass).