Dolibarr Security Vulnerabilities
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the...
6.1CVSS
7.1AI Score
0.0005EPSS
Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer...
6.5CVSS
7AI Score
0.0005EPSS
Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP...
8.8CVSS
7.6AI Score
0.001EPSS
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to...
4.8CVSS
6AI Score
0.0004EPSS
Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to...
5.4CVSS
6.1AI Score
0.0005EPSS
SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In...
9.8CVSS
9.6AI Score
0.001EPSS
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to...
5.4CVSS
5.3AI Score
0.001EPSS
8.8CVSS
8.9AI Score
0.002EPSS
4.3CVSS
4.6AI Score
0.001EPSS
6.5CVSS
6.4AI Score
0.001EPSS
Improper Validation of Specified Quantity in Input in Packagist dolibarr/dolibarr prior to...
4.3CVSS
4.5AI Score
0.001EPSS
dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL...
9.8CVSS
9.7AI Score
0.002EPSS
4.3CVSS
4.6AI Score
0.001EPSS
A Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 14.0.3 via the ticket creation flow. Exploitation requires that an admin copies the payload into a...
5.4CVSS
5.2AI Score
0.001EPSS
In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since...
7.2CVSS
6.9AI Score
0.001EPSS
In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten...
8.8CVSS
8.6AI Score
0.001EPSS
In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser...
9CVSS
8.4AI Score
0.001EPSS
In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at “/adherents/note.php?id=1”...
4.3CVSS
4.4AI Score
0.001EPSS
Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP...
8.8CVSS
9AI Score
0.011EPSS
Dolibarr CRM before 11.0.5 allows privilege escalation. This could allow remote authenticated attackers to upload arbitrary files via societe/document.php in which "disabled" is changed to "enabled" in the HTML source...
6.5CVSS
6.3AI Score
0.001EPSS
A SQL injection vulnerability in accountancy/customer/card.php in Dolibarr 11.0.3 allows remote authenticated users to execute arbitrary SQL commands via the id...
8.8CVSS
8.8AI Score
0.001EPSS
5.4CVSS
5.3AI Score
0.001EPSS
core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu...
8.8CVSS
8.2AI Score
0.002EPSS
Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price...
9.8CVSS
9AI Score
0.006EPSS
7.5CVSS
7.8AI Score
0.002EPSS
Dolibarr ERP/CRM before 10.0.3 allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe...
5.4CVSS
5.2AI Score
0.001EPSS
Dolibarr ERP/CRM before 10.0.3 has an Insufficient Filtering issue that can lead to user/card.php...
6.1CVSS
6.1AI Score
0.001EPSS
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary...
9.8CVSS
9.6AI Score
0.037EPSS
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in...
6.1CVSS
6AI Score
0.001EPSS
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in...
9.8CVSS
9.9AI Score
0.009EPSS
Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin...
8.8CVSS
8.8AI Score
0.001EPSS
Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing. The component is: htdocs/product/stats/card.php. The attack vector is: Victim must click a specially crafted link sent by the...
6.1CVSS
6.1AI Score
0.001EPSS
An issue was discovered in Dolibarr through 7.0.0. There is Stored XSS in expensereport/card.php in the expense reports plugin via the comments parameter, or a public or private...
6.1CVSS
5.8AI Score
0.001EPSS
An issue was discovered in Dolibarr through 7.0.0. expensereport/card.php in the expense reports module allows SQL injection via the integer parameters qty and...
9.8CVSS
9.8AI Score
0.002EPSS
6.1CVSS
6.1AI Score
0.004EPSS
The admin panel in Dolibarr before 7.0.2 might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file...
8CVSS
8.3AI Score
0.002EPSS
SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without...
9.8CVSS
9.8AI Score
0.895EPSS
Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to...
6.1CVSS
6AI Score
0.953EPSS
SQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy/admin/journals_list.php, /admin/dict.php,...
9.8CVSS
10AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0 allows remote authenticated users to inject arbitrary web script or HTML via the Title parameter to...
5.4CVSS
5.1AI Score
0.001EPSS
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 6.0.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) CompanyName, (2) CompanyAddress, (3) CompanyZip, (4) CompanyTown, (5) Fax, (6) EMail, (7) Web, (8) ManagingDirectors, (9) Note, (10)...
5.4CVSS
5.1AI Score
0.001EPSS
SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the menuId...
9.8CVSS
9.9AI Score
0.001EPSS
There is a sensitive information disclosure vulnerability in document.php in Dolibarr ERP/CRM version 6.0.0 via the file...
7.5CVSS
7.2AI Score
0.002EPSS
SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the statut...
9.8CVSS
9.9AI Score
0.001EPSS
Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable...
8.8CVSS
8.9AI Score
0.001EPSS
Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut...
9.8CVSS
9.7AI Score
0.002EPSS
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) lastname, (2) firstname, (3) email, (4) job, or (5) signature parameter to...
5.4CVSS
5.2AI Score
0.008EPSS
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) external calendar url or (2) the bank name field in the "import external calendar"...
6.1CVSS
6AI Score
0.003EPSS
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5 and 3.6 allow remote attackers to inject arbitrary web script or HTML via the Business Search (search_nom) field to (1) htdocs/societe/societe.php or (2)...
5.8AI Score
0.016EPSS
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php;.....
8.2AI Score
0.004EPSS