core/get_menudiv.php in Dolibarr prior to 11.0.4 allows remote authenticated malicious users to bypass intended access restrictions via a non-alphanumeric menu parameter.
dolibarr dolibarr