Search
Total
19 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-7995 | 1 Dolibarr | 1 Dolibarr | 2022-04-26 | 10.0 HIGH | 9.8 CRITICAL |
| The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts. | |||||
| CVE-2021-25955 | 1 Dolibarr | 1 Dolibarr | 2022-01-21 | 3.5 LOW | 9.0 CRITICAL |
| In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation. | |||||
| CVE-2022-0224 | 1 Dolibarr | 1 Dolibarr | 2022-01-18 | 7.5 HIGH | 9.8 CRITICAL |
| dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command | |||||
| CVE-2021-33816 | 1 Dolibarr | 1 Dolibarr | 2021-11-12 | 7.5 HIGH | 9.8 CRITICAL |
| The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked. | |||||
| CVE-2018-9019 | 2 Dolibarr, Oracle | 2 Dolibarr, Data Integrator | 2021-01-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy/admin/journals_list.php, /admin/dict.php, /admin/mails_templates.php, or /admin/website.php. | |||||
| CVE-2019-19212 | 1 Dolibarr | 1 Dolibarr | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen). | |||||
| CVE-2013-2093 | 1 Dolibarr | 1 Dolibarr | 2019-11-22 | 10.0 HIGH | 9.8 CRITICAL |
| Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands. | |||||
| CVE-2013-2091 | 1 Dolibarr | 1 Dolibarr | 2019-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php. | |||||
| CVE-2018-16809 | 1 Dolibarr | 1 Dolibarr | 2019-03-08 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Dolibarr through 7.0.0. expensereport/card.php in the expense reports module allows SQL injection via the integer parameters qty and value_unit. | |||||
| CVE-2018-13447 | 1 Dolibarr | 1 Dolibarr | 2018-08-11 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut parameter. | |||||
| CVE-2018-10094 | 1 Dolibarr | 1 Dolibarr | 2018-07-02 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes. | |||||
| CVE-2017-17900 | 1 Dolibarr | 1 Dolibarr | 2018-01-09 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the socid parameter. | |||||
| CVE-2017-17899 | 1 Dolibarr | 1 Dolibarr | 2018-01-09 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter. | |||||
| CVE-2017-17897 | 1 Dolibarr | 1 Dolibarr | 2018-01-09 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||||
| CVE-2017-14242 | 1 Dolibarr | 1 Dolibarr | 2017-09-18 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the statut parameter. | |||||
| CVE-2017-14238 | 1 Dolibarr | 1 Dolibarr | 2017-09-18 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the menuId parameter. | |||||
| CVE-2017-9435 | 1 Dolibarr | 1 Dolibarr | 2017-06-08 | 7.5 HIGH | 9.8 CRITICAL |
| Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters). | |||||
| CVE-2017-7886 | 1 Dolibarr | 1 Dolibarr | 2017-05-15 | 7.5 HIGH | 9.8 CRITICAL |
| Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css.php via the lang parameter. | |||||
| CVE-2017-7888 | 1 Dolibarr | 1 Dolibarr | 2017-05-15 | 5.0 MEDIUM | 9.8 CRITICAL |
| Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier. | |||||