Total
87 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16197 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| In htdocs/societe/card.php in Dolibarr 10.0.1, the value of the User-Agent HTTP header is copied into the HTML document as plain text between tags, leading to XSS. | |||||
| CVE-2022-22293 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 3.5 LOW | 5.4 MEDIUM |
| admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter. | |||||
| CVE-2019-17577 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Email used for error returns emails (fields 'Errors-To' in emails sent)" field. | |||||
| CVE-2019-16687 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation. | |||||
| CVE-2017-7888 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 5.0 MEDIUM | 9.8 CRITICAL |
| Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier. | |||||
| CVE-2021-33618 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of a BODY element to the user-management feature. | |||||
| CVE-2020-13828 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter. | |||||
| CVE-2017-17897 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||||
| CVE-2018-19995 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to user/card.php. | |||||
| CVE-2021-25956 | 1 Dolibarr | 2 Dolibarr, Dolibarr Erp\/crm | 2022-11-17 | 6.5 MEDIUM | 7.2 HIGH |
| In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name. | |||||
| CVE-2020-9016 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header. | |||||
| CVE-2020-14475 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3 allows remote attackers to inject arbitrary web script or HTML into public/notice.php (related to transphrase and transkey). | |||||
| CVE-2013-2092 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php. | |||||
| CVE-2019-16688 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php. A user with no privileges can inject script to attack the admin. (This stored XSS can affect all types of user privilege from Admin to users with no permissions.) | |||||
| CVE-2017-7887 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dolibarr ERP/CRM 4.0.4 has XSS in doli/societe/list.php via the sall parameter. | |||||
| CVE-2021-37517 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-04-11 | 5.0 MEDIUM | 7.5 HIGH |
| An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application allows email addresses as usernames, which can cause a Denial of Service. | |||||
| CVE-2021-36625 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-04-11 | 6.5 MEDIUM | 8.8 HIGH |
| An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter in an UPDATE statement. | |||||
| CVE-2019-11200 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| Dolibarr ERP/CRM 9.0.1 provides a web-based functionality that backs up the database content to a dump file. However, the application performs insufficient checks on the export parameters to mysqldump, which can lead to execution of arbitrary binaries on the server. (Malicious binaries can be uploaded by abusing other functionalities of the application.) | |||||
| CVE-2019-11199 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2019-08-05 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. These vulnerabilities allowed the execution of a JavaScript payload each time any regular user or administrative user clicked on the malicious link hosted on the same domain. The vulnerabilities could be exploited by low privileged users to target administrators. The viewimage.php page did not perform any contextual output encoding and would display the content within the uploaded file with a user-requested MIME type. | |||||
| CVE-2019-11201 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2019-08-05 | 8.5 HIGH | 8.0 HIGH |
| Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content. Thus, a lower privileged user of the application can execute code under the context and permissions of the underlying web server. | |||||