Dolibarr Erpcrm
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Dolibarr Erpcrm.
By the Year
In 2025 there have been 2 vulnerabilities in Dolibarr Erpcrm with an average score of 9.0 out of ten. Last year, in 2024 Dolibarr Erpcrm had 7 security vulnerabilities published. Right now, Dolibarr Erpcrm is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 1.52.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 2 | 9.00 |
2024 | 7 | 7.48 |
2023 | 9 | 7.57 |
2022 | 14 | 7.19 |
2021 | 3 | 7.70 |
2020 | 11 | 6.46 |
2019 | 24 | 6.70 |
2018 | 5 | 8.92 |
It may take a day or so for new Dolibarr Erpcrm vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Dolibarr Erpcrm Security Vulnerabilities
A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta
CVE-2024-55227
9 - Critical
- January 27, 2025
A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.
XSS
A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta
CVE-2024-55228
9 - Critical
- January 27, 2025
A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.
XSS
An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch
CVE-2021-3991
4.3 - Medium
- November 15, 2024
An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions.
Insecure Direct Object Reference / IDOR
An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1
CVE-2024-37821
- June 18, 2024
An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file.
Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection
CVE-2024-5314
9.1 - Critical
- May 24, 2024
Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters sortorder y sortfield in /dolibarr/admin/dict.php.
SQL Injection
Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection
CVE-2024-5315
9.1 - Critical
- May 24, 2024
Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters viewstatut in /dolibarr/commande/list.php.
SQL Injection
Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before
CVE-2024-31503
- April 17, 2024
Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover.
Session Riding
Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0
CVE-2024-29477
8.8 - High
- April 03, 2024
Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the network to execute arbitrary code via a specifically crafted input.
Code Injection
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package
CVE-2024-23817
6.1 - Medium
- January 25, 2024
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr App Home page HTML code. This behavior can be exploited to perform various attacks like Cross-Site Scripting (XSS). To remediate the issue, validate and sanitize all user-supplied input, especially within HTML attributes, to prevent HTML injection attacks; and implement proper output encoding when rendering user-provided data to ensure it is treated as plain text rather than executable HTML.
XSS
Improper Access Control in Dolibarr ERP CRM <= v17.0.3
CVE-2023-4198
6.5 - Medium
- November 01, 2023
Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data
AuthZ
Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website
CVE-2023-4197
8.8 - High
- November 01, 2023
Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.
Injection
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5.
CVE-2023-5842
4.8 - Medium
- October 30, 2023
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5.
XSS
Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0.
CVE-2023-5323
6.1 - Medium
- October 01, 2023
Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0.
XSS
Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before
CVE-2023-38888
9.6 - Critical
- September 20, 2023
Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.
XSS
File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before
CVE-2023-38887
8.8 - High
- September 20, 2023
File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions.
Unrestricted File Upload
An issue in Dolibarr ERP CRM v.17.0.1 and before
CVE-2023-38886
7.2 - High
- September 20, 2023
An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script.
An issue in Dolibarr 16 before 16.0.5
CVE-2023-33568
7.5 - High
- June 13, 2023
An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.
Files or Directories Accessible to External Parties
Dolibarr before 17.0.1
CVE-2023-30253
8.8 - High
- May 29, 2023
Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.
Shell injection
SQL injection attacks
CVE-2022-4093
9.8 - Critical
- November 21, 2022
SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period. This affect 16.0.1 and 16.0.2 only. 16.0.0 or lower, and 16.0.3 or higher are not affected
SQL Injection
Dolibarr Open Source ERP & CRM for Business before v14.0.1
CVE-2022-43138
9.8 - Critical
- November 17, 2022
Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API.
Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection
CVE-2022-40871
9.8 - Critical
- October 12, 2022
Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.
Code Injection
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.
CVE-2022-2060
5.4 - Medium
- June 13, 2022
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.
XSS
Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS)
CVE-2022-30875
6.1 - Medium
- June 08, 2022
Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS) via Sql Error Page.
XSS
An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application
CVE-2021-37517
7.5 - High
- March 31, 2022
An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application allows email addresses as usernames, which can cause a Denial of Service.
AuthZ
An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0)
CVE-2021-36625
8.8 - High
- March 31, 2022
An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter in an UPDATE statement.
SQL Injection
Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.
CVE-2022-0819
8.8 - High
- March 02, 2022
Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.
Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0.
CVE-2022-0746
4.3 - Medium
- February 25, 2022
Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0.
Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.
CVE-2022-0731
6.5 - Medium
- February 23, 2022
Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.
Insecure Direct Object Reference / IDOR
Improper Validation of Specified Quantity in Input in Packagist dolibarr/dolibarr prior to 16.0.
CVE-2022-0414
4.3 - Medium
- January 31, 2022
Improper Validation of Specified Quantity in Input in Packagist dolibarr/dolibarr prior to 16.0.
Improper Validation of Specified Quantity in Input
dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
CVE-2022-0224
9.8 - Critical
- January 14, 2022
dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
SQL Injection
Improper Validation of Specified Quantity in Input vulnerability in dolibarr dolibarr/dolibarr.
CVE-2022-0174
4.3 - Medium
- January 10, 2022
Improper Validation of Specified Quantity in Input vulnerability in dolibarr dolibarr/dolibarr.
Improper Validation of Specified Quantity in Input
admin/limits.php in Dolibarr 7.0.2
CVE-2022-22293
5.4 - Medium
- January 02, 2022
admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter.
XSS
The website builder module in Dolibarr 13.0.2
CVE-2021-33816
9.8 - Critical
- November 10, 2021
The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.
Code Injection
Dolibarr ERP and CRM 13.0.2
CVE-2021-33618
6.1 - Medium
- November 10, 2021
Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of a BODY element to the user-management feature.
XSS
In Dolibarr application
CVE-2021-25956
7.2 - High
- August 17, 2021
In Dolibarr application, v3.3.beta1_20121221 to v13.0.2 have Modify access for admin level users to change other users details but fails to validate already existing Login name, while renaming the user Login. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.
Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution
CVE-2020-35136
7.2 - High
- December 23, 2020
Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php.
Argument Injection
Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities
CVE-2020-13828
5.4 - Medium
- August 31, 2020
Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter.
XSS
A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3
CVE-2020-14475
6.1 - Medium
- June 19, 2020
A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3 allows remote attackers to inject arbitrary web script or HTML into public/notice.php (related to transphrase and transkey).
XSS
The DMS/ECM module in Dolibarr 11.0.4
CVE-2020-13240
5.4 - Medium
- May 20, 2020
The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.
Exposure of Resource to Wrong Sphere
The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed
CVE-2020-13239
5.4 - Medium
- May 20, 2020
The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS.
XSS
In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page
CVE-2020-11823
5.4 - Medium
- April 16, 2020
In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to stealing of the admin account.
XSS
In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks
CVE-2020-11825
8.8 - High
- April 16, 2020
In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation.
Session Riding
Dolibarr 11.0 allows XSS
CVE-2020-9016
5.4 - Medium
- February 16, 2020
Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.
XSS
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6
CVE-2020-7994
6.1 - Medium
- January 26, 2020
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) name[constname] parameter to the /htdocs/admin/const.php?mainmenu=home page; the (3) note[note] parameter to the /htdocs/admin/dict.php?id=10 page; the (4) zip[MAIN_INFO_SOCIETE_ZIP] or email[mail] parameter to the /htdocs/admin/company.php page; the (5) url[defaulturl], field[defaultkey], or value[defaultvalue] parameter to the /htdocs/admin/defaultvalues.php page; the (6) key[transkey] or key[transvalue] parameter to the /htdocs/admin/translation.php page; or the (7) [main_motd] or [main_home] parameter to the /htdocs/admin/ihm.php page.
XSS
The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6
CVE-2020-7995
9.8 - Critical
- January 26, 2020
The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts.
Improper Restriction of Excessive Authentication Attempts
htdocs/user/passwordforgotten.php in Dolibarr 10.0.6
CVE-2020-7996
6.1 - Medium
- January 26, 2020
htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header.
XSS
Dolibarr CRM/ERP 10.0.3
CVE-2019-19206
5.4 - Medium
- November 26, 2019
Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to JavaScript execution in an SVG image for a profile picture.
XSS
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1
CVE-2013-2092
6.1 - Medium
- November 20, 2019
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
XSS
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which
CVE-2013-2093
9.8 - Critical
- November 20, 2019
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
Improper Input Validation
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1
CVE-2013-2091
9.8 - Critical
- November 20, 2019
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.
SQL Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Dolibarr Erpcrm or by Dolibarr? Click the Watch button to subscribe.
