Filtered by vendor Dolibarr
Subscribe
Search
Total
24 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-40871 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-08-08 | N/A | 9.8 CRITICAL |
| Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval. | |||||
| CVE-2022-43138 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-08-08 | N/A | 9.8 CRITICAL |
| Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API. | |||||
| CVE-2020-7995 | 1 Dolibarr | 1 Dolibarr | 2022-04-26 | 10.0 HIGH | 9.8 CRITICAL |
| The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts. | |||||
| CVE-2021-25955 | 1 Dolibarr | 1 Dolibarr | 2022-01-21 | 3.5 LOW | 9.0 CRITICAL |
| In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation. | |||||
| CVE-2022-0224 | 1 Dolibarr | 1 Dolibarr | 2022-01-18 | 7.5 HIGH | 9.8 CRITICAL |
| dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command | |||||
| CVE-2021-33816 | 1 Dolibarr | 1 Dolibarr | 2021-11-12 | 7.5 HIGH | 9.8 CRITICAL |
| The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked. | |||||
| CVE-2018-9019 | 2 Dolibarr, Oracle | 2 Dolibarr, Data Integrator | 2021-01-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy/admin/journals_list.php, /admin/dict.php, /admin/mails_templates.php, or /admin/website.php. | |||||
| CVE-2019-19212 | 1 Dolibarr | 1 Dolibarr | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen). | |||||
| CVE-2013-2093 | 1 Dolibarr | 1 Dolibarr | 2019-11-22 | 10.0 HIGH | 9.8 CRITICAL |
| Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands. | |||||
| CVE-2013-2091 | 1 Dolibarr | 1 Dolibarr | 2019-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php. | |||||
| CVE-2018-16809 | 1 Dolibarr | 1 Dolibarr | 2019-03-08 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Dolibarr through 7.0.0. expensereport/card.php in the expense reports module allows SQL injection via the integer parameters qty and value_unit. | |||||
| CVE-2018-13449 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2018-09-05 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut_buy parameter. | |||||
| CVE-2018-13450 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2018-09-05 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the status_batch parameter. | |||||
| CVE-2018-13447 | 1 Dolibarr | 1 Dolibarr | 2018-08-11 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut parameter. | |||||
| CVE-2018-13448 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2018-08-10 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the country_id parameter. | |||||
| CVE-2018-10094 | 1 Dolibarr | 1 Dolibarr | 2018-07-02 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes. | |||||
| CVE-2017-17900 | 1 Dolibarr | 1 Dolibarr | 2018-01-09 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the socid parameter. | |||||
| CVE-2017-17899 | 1 Dolibarr | 1 Dolibarr | 2018-01-09 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter. | |||||
| CVE-2017-17897 | 1 Dolibarr | 1 Dolibarr | 2018-01-09 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||||
| CVE-2017-14242 | 1 Dolibarr | 1 Dolibarr | 2017-09-18 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the statut parameter. | |||||
| CVE-2017-14238 | 1 Dolibarr | 1 Dolibarr | 2017-09-18 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the menuId parameter. | |||||
| CVE-2017-9435 | 1 Dolibarr | 1 Dolibarr | 2017-06-08 | 7.5 HIGH | 9.8 CRITICAL |
| Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters). | |||||
| CVE-2017-7886 | 1 Dolibarr | 1 Dolibarr | 2017-05-15 | 7.5 HIGH | 9.8 CRITICAL |
| Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css.php via the lang parameter. | |||||
| CVE-2017-7888 | 1 Dolibarr | 1 Dolibarr | 2017-05-15 | 5.0 MEDIUM | 9.8 CRITICAL |
| Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier. | |||||