Filtered by vendor Dolibarr
Subscriptions
Total
118 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-17578 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 5.4 Medium |
| An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Sender email for automatic emails (default value in php.ini: Undefined)" field. | ||||
| CVE-2020-11823 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 5.4 Medium |
| In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to stealing of the admin account. | ||||
| CVE-2020-11825 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 8.8 High |
| In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation. | ||||
| CVE-2020-13239 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 5.4 Medium |
| The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS. | ||||
| CVE-2020-13240 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 5.4 Medium |
| The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS. | ||||
| CVE-2020-13828 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 5.4 Medium |
| Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter. | ||||
| CVE-2020-14475 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3 allows remote attackers to inject arbitrary web script or HTML into public/notice.php (related to transphrase and transkey). | ||||
| CVE-2020-35136 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 7.2 High |
| Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php. | ||||
| CVE-2020-7994 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 6.1 Medium |
| Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) name[constname] parameter to the /htdocs/admin/const.php?mainmenu=home page; the (3) note[note] parameter to the /htdocs/admin/dict.php?id=10 page; the (4) zip[MAIN_INFO_SOCIETE_ZIP] or email[mail] parameter to the /htdocs/admin/company.php page; the (5) url[defaulturl], field[defaultkey], or value[defaultvalue] parameter to the /htdocs/admin/defaultvalues.php page; the (6) key[transkey] or key[transvalue] parameter to the /htdocs/admin/translation.php page; or the (7) [main_motd] or [main_home] parameter to the /htdocs/admin/ihm.php page. | ||||
| CVE-2020-7995 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 9.8 Critical |
| The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts. | ||||
| CVE-2020-7996 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 6.1 Medium |
| htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header. | ||||
| CVE-2020-9016 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 5.4 Medium |
| Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header. | ||||
| CVE-2021-25956 | 1 Dolibarr | 2 Dolibarr, Dolibarr Erp\/crm | 2022-11-17 | 7.2 High |
| In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name. | ||||
| CVE-2021-33618 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 6.1 Medium |
| Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of a BODY element to the user-management feature. | ||||
| CVE-2021-33816 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 9.8 Critical |
| The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked. | ||||
| CVE-2021-25954 | 1 Dolibarr | 1 Dolibarr | 2022-10-25 | 4.3 Medium |
| In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at “/adherents/note.php?id=1” endpoint. | ||||
| CVE-2017-9435 | 1 Dolibarr | 1 Dolibarr | 2022-10-03 | N/A |
| Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters). | ||||
| CVE-2018-13450 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-10-03 | N/A |
| SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the status_batch parameter. | ||||
| CVE-2018-13449 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-10-03 | N/A |
| SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut_buy parameter. | ||||
| CVE-2018-13448 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-10-03 | N/A |
| SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the country_id parameter. | ||||