21 matches found
CVE-2020-7995
The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts...
EUVD-2022-3839
Malicious code in bioql PyPI...
EUVD-2022-1983
Malicious code in bioql PyPI...
EUVD-2022-2810
Malicious code in bioql PyPI...
EUVD-2022-4493
Malicious code in bioql PyPI...
CVE-2022-22293
admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAINMAXDECIMALSTOT parameter...
CVE-2019-15062
An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element containing a user/card.php CSRF request in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. The protection mechanism for CSRF is to check the Referer...
Dolibarr 20.0.1 SQL Injection
Titles: dolibarr 20.0.1 Multiple security token SQLi Author: nu11secur1ty Date: 10/15/2024 Vendor: https://www.dolibarr.org/ Software: https://www.dolibarr.org/downloads.php Reference: https://portswigger.net/web-security/sql-injection Description: The socid parameter appears to be vulnerable to...
CVE-2023-33568
An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists...
CVE-2023-33568
An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists...
CVE-2023-30253
Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: ?PHP instead of ?php in injected data...
GHSA-FVXR-767J-F28V Dolibarr stored Cross-site Scripting vulnerability
Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation...
Dolibarr stored cross-site scripting (XSS) vulnerability
A stored cross-site scripting XSS vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" POST or "town" POST parameter to adherents/type.php...
Business Logic Flaws
dolibarr has business logic flaws. The vulnerability exists due to a lack of sanitization of values for the Weight, Length x Width x Height, Area, Volume fields of a Product...
Improper Authorization in dolibarr/dolibarr
Description I found an IDOR in Dolibarr In preview2.dolibarr.org login with demo:demo then open Agenda section first, I Change all permissions of demo user in Reception to None second, I can't see the Receptions List in Products at all But I am able to see following Reception...
CVE-2021-25956
In “Dolibarr” application, v3.3.beta120121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since t...
CVE-2020-14209
Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control e.g., to let .noexe files be executed as PHP co...
CVE-2020-7995
The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts...
Cross site scripting
Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation...
Dolibarr adherents/list.php SQL Injection
SQL Injection vulnerability in Dolibarr adherents/list.php statut parameter Vulnerability Type: SQL Injection For the exploit source code contact DSquare Security sales team...