Dolibarr Security Vulnerabilities and Issues — Dolibarr CVE List

Lucene search

DolibarrDolibarr

32 matches found

CVE•added 2020/05/18 10:15 p.m.•143 views

CVE-2020-13094

Dolibarr before 11.0.4 allows XSS.

5.4CVSS5.3AI score0.01707EPSS

Web

CVE•added 2021/08/15 9:15 p.m.•95 views

CVE-2021-25955

In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser whe...

9CVSS8.6AI score0.00415EPSS

Web

CVE•added 2020/09/02 5:15 p.m.•76 views

CVE-2020-14209

Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP cod...

8.8CVSS8.9AI score0.09687EPSS

Web

CVE•added 2018/05/22 8:29 p.m.•68 views

CVE-2018-10092

The admin panel in Dolibarr before 7.0.2 might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file uploads.

8CVSS8.3AI score0.00449EPSS

CVE•added 2018/05/22 8:29 p.m.•66 views

CVE-2018-10094

SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes.

9.8CVSS9.7AI score0.74413EPSS

CVE•added 2021/08/17 3:15 p.m.•66 views

CVE-2021-25957

In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password.

8.8CVSS8.6AI score0.00326EPSS

CVE•added 2021/08/09 5:15 p.m.•65 views

CVE-2021-25954

In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at “/adherents/note.php?id=1” endpoint.

4.3CVSS4.3AI score0.00249EPSS

Web

CVE•added 2018/12/26 9:29 p.m.•62 views

CVE-2018-19799

Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexport= XSS.

6.1CVSS6.1AI score0.02965EPSS

Web

CVE•added 2021/08/17 3:15 p.m.•62 views

CVE-2021-25956

In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since th...

7.2CVSS5.7AI score0.00372EPSS

CVE•added 2018/05/22 8:29 p.m.•60 views

CVE-2018-10095

Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php.

6.1CVSS6AI score0.58066EPSS

Web

CVE•added 2020/08/21 7:15 p.m.•60 views

CVE-2020-14201

Dolibarr CRM before 11.0.5 allows privilege escalation. This could allow remote authenticated attackers to upload arbitrary files via societe/document.php in which "disabled" is changed to "enabled" in the HTML source code.

6.5CVSS6.2AI score0.00146EPSS

CVE•added 2020/06/18 6:15 p.m.•56 views

CVE-2020-14443

A SQL injection vulnerability in accountancy/customer/card.php in Dolibarr 11.0.3 allows remote authenticated users to execute arbitrary SQL commands via the id parameter.

8.8CVSS8.8AI score0.00295EPSS

Web

CVE•added 2016/01/15 7:59 p.m.•54 views

CVE-2015-8685

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) external calendar url or (2) the bank name field in the "import external calendar" page.

6.1CVSS6AI score0.00212EPSS

CVE•added 2017/09/11 9:29 a.m.•54 views

CVE-2017-14238

SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the menuId parameter.

9.8CVSS9.9AI score0.00342EPSS

Web

CVE•added 2017/06/05 2:29 p.m.•54 views

CVE-2017-9435

Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters).

9.8CVSS9.6AI score0.00331EPSS

Web

CVE•added 2020/03/16 3:15 p.m.•54 views

CVE-2019-19210

Dolibarr ERP/CRM before 10.0.3 allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files.

5.4CVSS5.1AI score0.00606EPSS

CVE•added 2017/09/11 9:29 a.m.•53 views

CVE-2017-14239

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 6.0.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) CompanyName, (2) CompanyAddress, (3) CompanyZip, (4) CompanyTown, (5) Fax, (6) EMail, (7) Web, (8) ManagingDirectors, (9) Note, (10) Capi...

5.4CVSS5.3AI score0.00122EPSS

Web

CVE•added 2017/09/11 9:29 a.m.•53 views

CVE-2017-14241

Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0 allows remote authenticated users to inject arbitrary web script or HTML via the Title parameter to htdocs/admin/menus/edit.php.

5.4CVSS5.2AI score0.00122EPSS

Web

CVE•added 2014/11/21 3:59 p.m.•52 views

CVE-2014-7137

Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (...

6.5CVSS8.2AI score0.00335EPSS

Web

CVE•added 2020/03/16 8:15 p.m.•52 views

CVE-2019-19212

Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen).

9.8CVSS8.9AI score0.0114EPSS

Web

CVE•added 2018/05/22 8:29 p.m.•51 views

CVE-2018-9019

SQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy/admin/journals_list.php, /admin/dict.php, /admin/mails_temp...

9.8CVSS10AI score0.01997EPSS

Web

CVE•added 2020/03/16 3:15 p.m.•51 views

CVE-2019-19209

Dolibarr ERP/CRM before 10.0.3 allows SQL Injection.

7.5CVSS7.7AI score0.01557EPSS

CVE•added 2017/09/11 9:29 a.m.•49 views

CVE-2017-14240

There is a sensitive information disclosure vulnerability in document.php in Dolibarr ERP/CRM version 6.0.0 via the file parameter.

7.5CVSS7.1AI score0.0027EPSS

CVE•added 2017/06/25 12:29 p.m.•49 views

CVE-2017-9840

Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application.

8.8CVSS8.8AI score0.00747EPSS

CVE•added 2020/05/06 7:15 p.m.•49 views

CVE-2020-12669

core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter.

8.8CVSS8.1AI score0.00289EPSS

Web

CVE•added 2017/09/11 9:29 a.m.•48 views

CVE-2017-14242

SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the statut parameter.

9.8CVSS9.9AI score0.00342EPSS

Web

CVE•added 2019/03/07 11:29 p.m.•48 views

CVE-2018-16808

An issue was discovered in Dolibarr through 7.0.0. There is Stored XSS in expensereport/card.php in the expense reports plugin via the comments parameter, or a public or private note.

6.1CVSS6AI score0.00267EPSS

Web

CVE•added 2015/06/10 2:59 p.m.•44 views

CVE-2015-3935

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5 and 3.6 allow remote attackers to inject arbitrary web script or HTML via the Business Search (search_nom) field to (1) htdocs/societe/societe.php or (2) htdocs/societe/admin/societe.php.

4.3CVSS5.8AI score0.00307EPSS

Web

CVE•added 2021/12/15 7:15 a.m.•43 views

CVE-2021-42220

A Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 14.0.3 via the ticket creation flow. Exploitation requires that an admin copies the payload into a box.

5.4CVSS5.1AI score0.00219EPSS

CVE•added 2016/01/15 8:59 p.m.•42 views

CVE-2016-1912

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) lastname, (2) firstname, (3) email, (4) job, or (5) signature parameter to htdocs/user/card.php.

5.4CVSS5.1AI score0.00222EPSS

Web

CVE•added 2019/03/07 11:29 p.m.•39 views

CVE-2018-16809

An issue was discovered in Dolibarr through 7.0.0. expensereport/card.php in the expense reports module allows SQL injection via the integer parameters qty and value_unit.

9.8CVSS9.7AI score0.00707EPSS

Web

CVE•added 2020/03/16 3:15 p.m.•39 views

CVE-2019-19211

Dolibarr ERP/CRM before 10.0.3 has an Insufficient Filtering issue that can lead to user/card.php XSS.

6.1CVSS6.2AI score0.02089EPSS