Dolibarr Erp/crm

dolibarr_erp/crm

Vendor: Dolibarr • 107 CVEs

CVEs (107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-0414 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Jan 31, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Improper Validation of Specified Quantity in Input in Packagist dolibarr/dolibarr prior to 16.0.
CVE-2022-0224 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Jan 14, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
CVE-2022-0174 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Jan 10, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Improper Validation of Specified Quantity in Input vulnerability in dolibarr dolibarr/dolibarr.
CVE-2022-22293 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Jan 2, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter.
CVE-2021-33816 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Nov 10, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.
CVE-2021-33618 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Nov 10, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of a BODY element to the user-management feature.
CVE-2021-25956 1Dolibarr 2Dolibarr Dolibarr Erp/crm Nov 21, 2024 Aug 17, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. Th...Show more In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.Show less
CVE-2020-35136 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Dec 23, 2020 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_tem...Show more Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php.Show less
CVE-2020-13828 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Aug 31, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the...Show more Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter.Show less
CVE-2020-14475 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Jun 19, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3 allows remote attackers to inject arbitrary web script or HTML into public/notice.php (related to transphrase and transkey).
CVE-2020-13240 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 May 20, 2020 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.
CVE-2020-13239 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 May 20, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS.
CVE-2020-11825 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Apr 16, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation...Show more In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation.Show less
CVE-2020-11823 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Apr 16, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to stealing of the admin account.
CVE-2020-9016 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Feb 16, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.
CVE-2020-7996 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Jan 26, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header.
CVE-2020-7995 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Jan 26, 2020 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts.
CVE-2020-7994 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Jan 26, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) n...Show more Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) name[constname] parameter to the /htdocs/admin/const.php?mainmenu=home page; the (3) note[note] parameter to the /htdocs/admin/dict.php?id=10 page; the (4) zip[MAIN_INFO_SOCIETE_ZIP] or email[mail] parameter to the /htdocs/admin/company.php page; the (5) url[defaulturl], field[defaultkey], or value[defaultvalue] parameter to the /htdocs/admin/defaultvalues.php page; the (6) key[transkey] or key[transvalue] parameter to the /htdocs/admin/translation.php page; or the (7) [main_motd] or [main_home] parameter to the /htdocs/admin/ihm.php page.Show less
CVE-2019-19206 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Nov 26, 2019 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to JavaScript execution in an SVG image for a profile picture.
CVE-2013-2093 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Nov 20, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.

Previous 1 234 5 6 Next