Dolibarr
Products by Dolibarr Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2023 there have been 0 vulnerabilities in Dolibarr . Last year Dolibarr had 14 security vulnerabilities published. Right now, Dolibarr is on track to have less security vulnerabilities in 2023 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2023 | 0 | 0.00 |
2022 | 14 | 7.19 |
2021 | 7 | 7.23 |
2020 | 20 | 6.91 |
2019 | 26 | 6.79 |
2018 | 10 | 8.44 |
It may take a day or so for new Dolibarr vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Dolibarr Security Vulnerabilities
SQL injection attacks
CVE-2022-4093
9.8 - Critical
- November 21, 2022
SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period. This affect 16.0.1 and 16.0.2 only. 16.0.0 or lower, and 16.0.3 or higher are not affected
SQL Injection
Dolibarr Open Source ERP & CRM for Business before v14.0.1
CVE-2022-43138
9.8 - Critical
- November 17, 2022
Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API.
Improper Privilege Management
Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection
CVE-2022-40871
9.8 - Critical
- October 12, 2022
Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.
Incorrect Default Permissions
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.
CVE-2022-2060
5.4 - Medium
- June 13, 2022
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.
XSS
Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS)
CVE-2022-30875
6.1 - Medium
- June 08, 2022
Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS) via Sql Error Page.
XSS
An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application
CVE-2021-37517
7.5 - High
- March 31, 2022
An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application allows email addresses as usernames, which can cause a Denial of Service.
AuthZ
An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0)
CVE-2021-36625
8.8 - High
- March 31, 2022
An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter in an UPDATE statement.
SQL Injection
Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.
CVE-2022-0819
8.8 - High
- March 02, 2022
Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.
Code Injection
Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0.
CVE-2022-0746
4.3 - Medium
- February 25, 2022
Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0.
Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.
CVE-2022-0731
6.5 - Medium
- February 23, 2022
Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.
Insecure Direct Object Reference / IDOR
Business Logic Errors in Packagist dolibarr/dolibarr prior to 16.0.
CVE-2022-0414
4.3 - Medium
- January 31, 2022
Business Logic Errors in Packagist dolibarr/dolibarr prior to 16.0.
Business Logic Errors
dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
CVE-2022-0224
9.8 - Critical
- January 14, 2022
dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
SQL Injection
dolibarr is vulnerable to Business Logic Errors
CVE-2022-0174
4.3 - Medium
- January 10, 2022
dolibarr is vulnerable to Business Logic Errors
Improper Input Validation
admin/limits.php in Dolibarr 7.0.2
CVE-2022-22293
5.4 - Medium
- January 02, 2022
admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter.
XSS
A Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 14.0.3 via the ticket creation flow
CVE-2021-42220
5.4 - Medium
- December 15, 2021
A Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 14.0.3 via the ticket creation flow. Exploitation requires that an admin copies the payload into a box.
XSS
The website builder module in Dolibarr 13.0.2
CVE-2021-33816
9.8 - Critical
- November 10, 2021
The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.
Code Injection
Dolibarr ERP and CRM 13.0.2
CVE-2021-33618
6.1 - Medium
- November 10, 2021
Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of a BODY element to the user-management feature.
XSS
In Dolibarr application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality
CVE-2021-25957
8.8 - High
- August 17, 2021
In Dolibarr application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password.
Weak Password Recovery Mechanism for Forgotten Password
In Dolibarr application
CVE-2021-25956
7.2 - High
- August 17, 2021
In Dolibarr application, v3.3.beta1_20121221 to v13.0.2 have Modify access for admin level users to change other users details but fails to validate already existing Login name, while renaming the user Login. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.
In Dolibarr ERP CRM, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability
CVE-2021-25955
9 - Critical
- August 15, 2021
In Dolibarr ERP CRM, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Private Note field at /adherents/note.php?id=1 endpoint. These scripts are executed in a victims browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.
XSS