Dolibarr Dolibarr

Do you want an email whenever new security vulnerabilities are reported in any Dolibarr product?

Products by Dolibarr Sorted by Most Security Vulnerabilities since 2018

Dolibarr Erpcrm73 vulnerabilities

Dolibarr60 vulnerabilities

By the Year

In 2023 there have been 0 vulnerabilities in Dolibarr . Last year Dolibarr had 14 security vulnerabilities published. Right now, Dolibarr is on track to have less security vulnerabilities in 2023 than it did last year.

Year Vulnerabilities Average Score
2023 0 0.00
2022 14 7.19
2021 7 7.23
2020 20 6.91
2019 26 6.79
2018 10 8.44

It may take a day or so for new Dolibarr vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Dolibarr Security Vulnerabilities

SQL injection attacks

CVE-2022-4093 9.8 - Critical - November 21, 2022

SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period. This affect 16.0.1 and 16.0.2 only. 16.0.0 or lower, and 16.0.3 or higher are not affected

SQL Injection

Dolibarr Open Source ERP & CRM for Business before v14.0.1

CVE-2022-43138 9.8 - Critical - November 17, 2022

Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API.

Improper Privilege Management

Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection

CVE-2022-40871 9.8 - Critical - October 12, 2022

Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.

Incorrect Default Permissions

Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.

CVE-2022-2060 5.4 - Medium - June 13, 2022

Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.

XSS

Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS)

CVE-2022-30875 6.1 - Medium - June 08, 2022

Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS) via Sql Error Page.

XSS

An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application

CVE-2021-37517 7.5 - High - March 31, 2022

An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application allows email addresses as usernames, which can cause a Denial of Service.

AuthZ

An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0)

CVE-2021-36625 8.8 - High - March 31, 2022

An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter in an UPDATE statement.

SQL Injection

Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.

CVE-2022-0819 8.8 - High - March 02, 2022

Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.

Code Injection

Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0.

CVE-2022-0746 4.3 - Medium - February 25, 2022

Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0.

Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.

CVE-2022-0731 6.5 - Medium - February 23, 2022

Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.

Insecure Direct Object Reference / IDOR

Business Logic Errors in Packagist dolibarr/dolibarr prior to 16.0.

CVE-2022-0414 4.3 - Medium - January 31, 2022

Business Logic Errors in Packagist dolibarr/dolibarr prior to 16.0.

Business Logic Errors

dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command

CVE-2022-0224 9.8 - Critical - January 14, 2022

dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command

SQL Injection

dolibarr is vulnerable to Business Logic Errors

CVE-2022-0174 4.3 - Medium - January 10, 2022

dolibarr is vulnerable to Business Logic Errors

Improper Input Validation

admin/limits.php in Dolibarr 7.0.2

CVE-2022-22293 5.4 - Medium - January 02, 2022

admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter.

XSS

A Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 14.0.3 via the ticket creation flow

CVE-2021-42220 5.4 - Medium - December 15, 2021

A Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 14.0.3 via the ticket creation flow. Exploitation requires that an admin copies the payload into a box.

XSS

The website builder module in Dolibarr 13.0.2

CVE-2021-33816 9.8 - Critical - November 10, 2021

The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.

Code Injection

Dolibarr ERP and CRM 13.0.2

CVE-2021-33618 6.1 - Medium - November 10, 2021

Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of a BODY element to the user-management feature.

XSS

In Dolibarr application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality

CVE-2021-25957 8.8 - High - August 17, 2021

In Dolibarr application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password.

Weak Password Recovery Mechanism for Forgotten Password

In Dolibarr application

CVE-2021-25956 7.2 - High - August 17, 2021

In Dolibarr application, v3.3.beta1_20121221 to v13.0.2 have Modify access for admin level users to change other users details but fails to validate already existing Login name, while renaming the user Login. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.

In Dolibarr ERP CRM, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability

CVE-2021-25955 9 - Critical - August 15, 2021

In Dolibarr ERP CRM, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Private Note field at /adherents/note.php?id=1 endpoint. These scripts are executed in a victims browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.

XSS

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.