Filtered by vendor Dolibarr
Subscriptions
Total
120 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2016-1912 | 1 Dolibarr | 1 Dolibarr | 2024-09-17 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) lastname, (2) firstname, (3) email, (4) job, or (5) signature parameter to htdocs/user/card.php. | ||||
CVE-2021-25957 | 1 Dolibarr | 1 Dolibarr | 2024-09-17 | 8.8 High |
In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password. | ||||
CVE-2017-17971 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-09-17 | N/A |
The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS. | ||||
CVE-2018-13449 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-09-17 | N/A |
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut_buy parameter. | ||||
CVE-2021-25954 | 1 Dolibarr | 1 Dolibarr | 2024-09-17 | 4.3 Medium |
In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at “/adherents/note.php?id=1” endpoint. | ||||
CVE-2021-25955 | 1 Dolibarr | 1 Dolibarr | 2024-09-16 | 9 Critical |
In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation. | ||||
CVE-2021-25956 | 1 Dolibarr | 2 Dolibarr, Dolibarr Erp\/crm | 2024-09-16 | 4.7 Medium |
In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name. | ||||
CVE-2012-1225 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-09-16 | N/A |
Multiple SQL injection vulnerabilities in Dolibarr CMS 3.2.0 Alpha and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) memberslist parameter (aka Member List) in list.php or (2) rowid parameter to adherents/fiche.php. | ||||
CVE-2018-13447 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-09-16 | N/A |
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut parameter. | ||||
CVE-2017-8879 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-09-16 | N/A |
Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes it easier for physically proximate attackers to obtain access via an unattended workstation. | ||||
CVE-2018-13450 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-09-16 | N/A |
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the status_batch parameter. | ||||
CVE-2017-9435 | 1 Dolibarr | 1 Dolibarr | 2024-09-16 | N/A |
Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters). | ||||
CVE-2018-13448 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-09-16 | N/A |
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the country_id parameter. | ||||
CVE-2023-5842 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-09-06 | 4.8 Medium |
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5. | ||||
CVE-2023-4197 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-09-05 | 7.5 High |
Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code. | ||||
CVE-2023-4198 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-09-05 | 6.5 Medium |
Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data | ||||
CVE-2011-4802 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-07 | N/A |
Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) sortfield, (2) sortorder, and (3) sall parameters to user/index.php and (b) user/group/index.php; the id parameter to (4) info.php, (5) perms.php, (6) param_ihm.php, (7) note.php, and (8) fiche.php in user/; and (9) rowid parameter to admin/boxes.php. | ||||
CVE-2011-4814 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-07 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) admin/boxes.php, (3) comm/clients.php, (4) commande/index.php; and the optioncss parameter to (5) admin/ihm.php and (6) user/home.php. | ||||
CVE-2011-4329 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-07 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the username parameter in a setup action to admin/company.php, or the PATH_INFO to (2) admin/security_other.php, (3) admin/events.php, or (4) admin/user.php. | ||||
CVE-2012-1226 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-06 | N/A |
Multiple directory traversal vulnerabilities in Dolibarr CMS 3.2.0 Alpha allow remote attackers to read arbitrary files and possibly execute arbitrary code via a .. (dot dot) in the (1) file parameter to document.php or (2) backtopage parameter in a create action to comm/action/fiche.php. |