Filtered by vendor Dolibarr
Subscriptions
Total
120 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-14475 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-04 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3 allows remote attackers to inject arbitrary web script or HTML into public/notice.php (related to transphrase and transkey). | ||||
| CVE-2020-14209 | 1 Dolibarr | 1 Dolibarr | 2024-08-04 | 8.8 High |
| Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism). | ||||
| CVE-2020-14201 | 1 Dolibarr | 1 Dolibarr | 2024-08-04 | 6.5 Medium |
| Dolibarr CRM before 11.0.5 allows privilege escalation. This could allow remote authenticated attackers to upload arbitrary files via societe/document.php in which "disabled" is changed to "enabled" in the HTML source code. | ||||
| CVE-2020-13828 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-04 | 5.4 Medium |
| Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter. | ||||
| CVE-2020-13240 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-04 | 5.4 Medium |
| The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS. | ||||
| CVE-2020-13239 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-04 | 5.4 Medium |
| The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS. | ||||
| CVE-2020-13094 | 1 Dolibarr | 1 Dolibarr | 2024-08-04 | 5.4 Medium |
| Dolibarr before 11.0.4 allows XSS. | ||||
| CVE-2020-12669 | 1 Dolibarr | 1 Dolibarr | 2024-08-04 | 8.8 High |
| core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter. | ||||
| CVE-2020-11823 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-04 | 5.4 Medium |
| In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to stealing of the admin account. | ||||
| CVE-2020-11825 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-04 | 8.8 High |
| In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation. | ||||
| CVE-2020-9016 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-04 | 5.4 Medium |
| Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header. | ||||
| CVE-2020-7996 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-04 | 6.1 Medium |
| htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header. | ||||
| CVE-2020-7994 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-04 | 6.1 Medium |
| Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) name[constname] parameter to the /htdocs/admin/const.php?mainmenu=home page; the (3) note[note] parameter to the /htdocs/admin/dict.php?id=10 page; the (4) zip[MAIN_INFO_SOCIETE_ZIP] or email[mail] parameter to the /htdocs/admin/company.php page; the (5) url[defaulturl], field[defaultkey], or value[defaultvalue] parameter to the /htdocs/admin/defaultvalues.php page; the (6) key[transkey] or key[transvalue] parameter to the /htdocs/admin/translation.php page; or the (7) [main_motd] or [main_home] parameter to the /htdocs/admin/ihm.php page. | ||||
| CVE-2020-7995 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-04 | 9.8 Critical |
| The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts. | ||||
| CVE-2021-42220 | 1 Dolibarr | 1 Dolibarr | 2024-08-04 | 5.4 Medium |
| A Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 14.0.3 via the ticket creation flow. Exploitation requires that an admin copies the payload into a box. | ||||
| CVE-2021-37517 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-04 | 7.5 High |
| An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application allows email addresses as usernames, which can cause a Denial of Service. | ||||
| CVE-2021-36625 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-04 | 8.8 High |
| An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter in an UPDATE statement. | ||||
| CVE-2021-33816 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-03 | 9.8 Critical |
| The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked. | ||||
| CVE-2021-33618 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-03 | 6.1 Medium |
| Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of a BODY element to the user-management feature. | ||||
| CVE-2022-43138 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-03 | 9.8 Critical |
| Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API. | ||||