Filtered by vendor Dolibarr Subscriptions
Total 121 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2021-3991 1 Dolibarr 2 Dolibarr, Dolibarr Erp\/crm 2024-11-19 4.3 Medium
An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions.
CVE-2023-38886 1 Dolibarr 1 Dolibarr Erp\/crm 2024-09-25 7.2 High
An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script.
CVE-2023-38888 1 Dolibarr 1 Dolibarr Erp\/crm 2024-09-25 9.6 Critical
Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.
CVE-2023-38887 1 Dolibarr 1 Dolibarr Erp\/crm 2024-09-25 8.8 High
File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions.
CVE-2023-5323 1 Dolibarr 2 Dolibarr, Dolibarr Erp\/crm 2024-09-20 6.1 Medium
Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0.
CVE-2016-1912 1 Dolibarr 1 Dolibarr 2024-09-17 N/A
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) lastname, (2) firstname, (3) email, (4) job, or (5) signature parameter to htdocs/user/card.php.
CVE-2021-25957 1 Dolibarr 1 Dolibarr 2024-09-17 8.8 High
In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password.
CVE-2017-17971 1 Dolibarr 1 Dolibarr Erp\/crm 2024-09-17 N/A
The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS.
CVE-2018-13449 1 Dolibarr 1 Dolibarr Erp\/crm 2024-09-17 N/A
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut_buy parameter.
CVE-2021-25954 1 Dolibarr 1 Dolibarr 2024-09-17 4.3 Medium
In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at “/adherents/note.php?id=1” endpoint.
CVE-2021-25955 1 Dolibarr 1 Dolibarr 2024-09-16 9 Critical
In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.
CVE-2021-25956 1 Dolibarr 2 Dolibarr, Dolibarr Erp\/crm 2024-09-16 4.7 Medium
In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.
CVE-2012-1225 1 Dolibarr 1 Dolibarr Erp\/crm 2024-09-16 N/A
Multiple SQL injection vulnerabilities in Dolibarr CMS 3.2.0 Alpha and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) memberslist parameter (aka Member List) in list.php or (2) rowid parameter to adherents/fiche.php.
CVE-2018-13447 1 Dolibarr 1 Dolibarr Erp\/crm 2024-09-16 N/A
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut parameter.
CVE-2017-8879 1 Dolibarr 1 Dolibarr Erp\/crm 2024-09-16 N/A
Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes it easier for physically proximate attackers to obtain access via an unattended workstation.
CVE-2018-13450 1 Dolibarr 1 Dolibarr Erp\/crm 2024-09-16 N/A
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the status_batch parameter.
CVE-2017-9435 1 Dolibarr 1 Dolibarr 2024-09-16 N/A
Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters).
CVE-2018-13448 1 Dolibarr 1 Dolibarr Erp\/crm 2024-09-16 N/A
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the country_id parameter.
CVE-2023-5842 1 Dolibarr 1 Dolibarr Erp\/crm 2024-09-06 4.8 Medium
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5.
CVE-2023-4197 1 Dolibarr 1 Dolibarr Erp\/crm 2024-09-05 7.5 High
Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.