Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remote malicious users to obtain sensitive information.
dolibarr dolibarr erp\\/crm 6.0.4