Dolibarr Erpcrm
By the Year
In 2023 there have been 0 vulnerabilities in Dolibarr Erpcrm . Last year Dolibarr Erpcrm had 14 security vulnerabilities published. Right now, Dolibarr Erpcrm is on track to have less security vulnerabilities in 2023 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2023 | 0 | 0.00 |
2022 | 14 | 7.19 |
2021 | 3 | 7.70 |
2020 | 11 | 6.46 |
2019 | 24 | 6.70 |
2018 | 5 | 8.92 |
It may take a day or so for new Dolibarr Erpcrm vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Dolibarr Erpcrm Security Vulnerabilities
SQL injection attacks
CVE-2022-4093
9.8 - Critical
- November 21, 2022
SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period. This affect 16.0.1 and 16.0.2 only. 16.0.0 or lower, and 16.0.3 or higher are not affected
SQL Injection
Dolibarr Open Source ERP & CRM for Business before v14.0.1
CVE-2022-43138
9.8 - Critical
- November 17, 2022
Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API.
Improper Privilege Management
Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection
CVE-2022-40871
9.8 - Critical
- October 12, 2022
Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.
Incorrect Default Permissions
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.
CVE-2022-2060
5.4 - Medium
- June 13, 2022
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.
XSS
Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS)
CVE-2022-30875
6.1 - Medium
- June 08, 2022
Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS) via Sql Error Page.
XSS
An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application
CVE-2021-37517
7.5 - High
- March 31, 2022
An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application allows email addresses as usernames, which can cause a Denial of Service.
AuthZ
An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0)
CVE-2021-36625
8.8 - High
- March 31, 2022
An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter in an UPDATE statement.
SQL Injection
Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.
CVE-2022-0819
8.8 - High
- March 02, 2022
Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.
Code Injection
Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0.
CVE-2022-0746
4.3 - Medium
- February 25, 2022
Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0.
Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.
CVE-2022-0731
6.5 - Medium
- February 23, 2022
Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.
Insecure Direct Object Reference / IDOR
Business Logic Errors in Packagist dolibarr/dolibarr prior to 16.0.
CVE-2022-0414
4.3 - Medium
- January 31, 2022
Business Logic Errors in Packagist dolibarr/dolibarr prior to 16.0.
Business Logic Errors
dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
CVE-2022-0224
9.8 - Critical
- January 14, 2022
dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
SQL Injection
dolibarr is vulnerable to Business Logic Errors
CVE-2022-0174
4.3 - Medium
- January 10, 2022
dolibarr is vulnerable to Business Logic Errors
Improper Input Validation
admin/limits.php in Dolibarr 7.0.2
CVE-2022-22293
5.4 - Medium
- January 02, 2022
admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter.
XSS
The website builder module in Dolibarr 13.0.2
CVE-2021-33816
9.8 - Critical
- November 10, 2021
The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.
Code Injection
Dolibarr ERP and CRM 13.0.2
CVE-2021-33618
6.1 - Medium
- November 10, 2021
Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of a BODY element to the user-management feature.
XSS
In Dolibarr application
CVE-2021-25956
7.2 - High
- August 17, 2021
In Dolibarr application, v3.3.beta1_20121221 to v13.0.2 have Modify access for admin level users to change other users details but fails to validate already existing Login name, while renaming the user Login. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.
Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution
CVE-2020-35136
7.2 - High
- December 23, 2020
Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php.
Argument Injection
Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities
CVE-2020-13828
5.4 - Medium
- August 31, 2020
Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter.
XSS
A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3
CVE-2020-14475
6.1 - Medium
- June 19, 2020
A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3 allows remote attackers to inject arbitrary web script or HTML into public/notice.php (related to transphrase and transkey).
XSS
The DMS/ECM module in Dolibarr 11.0.4
CVE-2020-13240
5.4 - Medium
- May 20, 2020
The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.
Exposure of Resource to Wrong Sphere
The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed
CVE-2020-13239
5.4 - Medium
- May 20, 2020
The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS.
XSS
In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page
CVE-2020-11823
5.4 - Medium
- April 16, 2020
In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to stealing of the admin account.
XSS
In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks
CVE-2020-11825
8.8 - High
- April 16, 2020
In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation.
Session Riding
Dolibarr 11.0 allows XSS
CVE-2020-9016
5.4 - Medium
- February 16, 2020
Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.
XSS
The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6
CVE-2020-7995
9.8 - Critical
- January 26, 2020
The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts.
Improper Restriction of Excessive Authentication Attempts
htdocs/user/passwordforgotten.php in Dolibarr 10.0.6
CVE-2020-7996
6.1 - Medium
- January 26, 2020
htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header.
XSS
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6
CVE-2020-7994
6.1 - Medium
- January 26, 2020
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) name[constname] parameter to the /htdocs/admin/const.php?mainmenu=home page; the (3) note[note] parameter to the /htdocs/admin/dict.php?id=10 page; the (4) zip[MAIN_INFO_SOCIETE_ZIP] or email[mail] parameter to the /htdocs/admin/company.php page; the (5) url[defaulturl], field[defaultkey], or value[defaultvalue] parameter to the /htdocs/admin/defaultvalues.php page; the (6) key[transkey] or key[transvalue] parameter to the /htdocs/admin/translation.php page; or the (7) [main_motd] or [main_home] parameter to the /htdocs/admin/ihm.php page.
XSS
Dolibarr CRM/ERP 10.0.3
CVE-2019-19206
5.4 - Medium
- November 26, 2019
Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to JavaScript execution in an SVG image for a profile picture.
XSS
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which
CVE-2013-2093
9.8 - Critical
- November 20, 2019
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
Improper Input Validation
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1
CVE-2013-2092
6.1 - Medium
- November 20, 2019
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
XSS
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1
CVE-2013-2091
9.8 - Critical
- November 20, 2019
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.
SQL Injection
An issue was discovered in Dolibarr 10.0.2
CVE-2019-17578
5.4 - Medium
- October 16, 2019
An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Sender email for automatic emails (default value in php.ini: Undefined)" field.
XSS
An issue was discovered in Dolibarr 10.0.2
CVE-2019-17576
5.4 - Medium
- October 16, 2019
An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the /admin/mails.php?action=edit URI via the "Send all emails to (instead of real recipients, for test purposes)" field.
XSS
An issue was discovered in Dolibarr 10.0.2
CVE-2019-17577
5.4 - Medium
- October 16, 2019
An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Email used for error returns emails (fields 'Errors-To' in emails sent)" field.
XSS
There is HTML Injection in the Note field in Dolibarr ERP/CRM 10.0.2
CVE-2019-17223
6.1 - Medium
- October 15, 2019
There is HTML Injection in the Note field in Dolibarr ERP/CRM 10.0.2 via user/note.php.
XSS
Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php
CVE-2019-16685
5.4 - Medium
- September 27, 2019
Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.
XSS
Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php
CVE-2019-16688
5.4 - Medium
- September 27, 2019
Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php. A user with no privileges can inject script to attack the admin. (This stored XSS can affect all types of user privilege from Admin to users with no permissions.)
XSS
Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php
CVE-2019-16687
5.4 - Medium
- September 27, 2019
Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.
XSS
Dolibarr 9.0.5 has stored XSS in a User Note section to note.php
CVE-2019-16686
5.4 - Medium
- September 27, 2019
Dolibarr 9.0.5 has stored XSS in a User Note section to note.php. A user with no privileges can inject script to attack the admin.
XSS
In htdocs/societe/card.php in Dolibarr 10.0.1
CVE-2019-16197
6.1 - Medium
- September 16, 2019
In htdocs/societe/card.php in Dolibarr 10.0.1, the value of the User-Agent HTTP header is copied into the HTML document as plain text between tags, leading to XSS.
XSS
An issue was discovered in Dolibarr 11.0.0-alpha
CVE-2019-15062
8 - High
- August 14, 2019
An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)
Session Riding
Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor
CVE-2019-11201
8 - High
- July 29, 2019
Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content. Thus, a lower privileged user of the application can execute code under the context and permissions of the underlying web server.
Code Injection
Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files
CVE-2019-11199
5.4 - Medium
- July 29, 2019
Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. These vulnerabilities allowed the execution of a JavaScript payload each time any regular user or administrative user clicked on the malicious link hosted on the same domain. The vulnerabilities could be exploited by low privileged users to target administrators. The viewimage.php page did not perform any contextual output encoding and would display the content within the uploaded file with a user-requested MIME type.
XSS
Dolibarr ERP/CRM 9.0.1 provides a web-based functionality that backs up the database content to a dump file
CVE-2019-11200
8.8 - High
- July 29, 2019
Dolibarr ERP/CRM 9.0.1 provides a web-based functionality that backs up the database content to a dump file. However, the application performs insufficient checks on the export parameters to mysqldump, which can lead to execution of arbitrary binaries on the server. (Malicious binaries can be uploaded by abusing other functionalities of the application.)
Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF)
CVE-2019-1010054
8.8 - High
- July 18, 2019
Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access malitious urls.
Session Riding
Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS)
CVE-2019-1010016
6.1 - Medium
- July 15, 2019
Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing. The component is: htdocs/product/stats/card.php. The attack vector is: Victim must click a specially crafted link sent by the attacker.
XSS
SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2
CVE-2018-19998
8.8 - High
- January 03, 2019
SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the employee parameter.
SQL Injection
A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2
CVE-2018-19995
5.4 - Medium
- January 03, 2019
A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to user/card.php.
XSS
An error-based SQL injection vulnerability in product/card.php in Dolibarr version 8.0.2
CVE-2018-19994
8.8 - High
- January 03, 2019
An error-based SQL injection vulnerability in product/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the desiredstock parameter.
SQL Injection
A reflected cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2
CVE-2018-19993
6.1 - Medium
- January 03, 2019
A reflected cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote attackers to inject arbitrary web script or HTML via the transphrase parameter to public/notice.php.
XSS
A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2
CVE-2018-19992
5.4 - Medium
- January 03, 2019
A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to adherents/type.php.
XSS
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3
CVE-2018-13448
9.8 - Critical
- July 08, 2018
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the country_id parameter.
SQL Injection
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3
CVE-2018-13449
9.8 - Critical
- July 08, 2018
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut_buy parameter.
SQL Injection
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3
CVE-2018-13450
9.8 - Critical
- July 08, 2018
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the status_batch parameter.
SQL Injection
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3
CVE-2018-13447
9.8 - Critical
- July 08, 2018
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut parameter.
SQL Injection
Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) vulnerability in Product details
CVE-2017-1000509
5.4 - Medium
- February 09, 2018
Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) vulnerability in Product details that can result in execution of javascript code.
XSS
The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which
CVE-2017-17971
6.1 - Medium
- December 29, 2017
The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS.
XSS
SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4
CVE-2017-17900
9.8 - Critical
- December 27, 2017
SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the socid parameter.
SQL Injection
SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4
CVE-2017-17897
9.8 - Critical
- December 27, 2017
SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.
SQL Injection
Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which
CVE-2017-17898
7.5 - High
- December 27, 2017
Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remote attackers to obtain sensitive information.
Information Disclosure
SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4
CVE-2017-17899
9.8 - Critical
- December 27, 2017
SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter.
SQL Injection
Dolibarr ERP/CRM 4.0.4
CVE-2017-8879
6.8 - Medium
- May 10, 2017
Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes it easier for physically proximate attackers to obtain access via an unattended workstation.
authentification
Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm
CVE-2017-7888
9.8 - Critical
- May 10, 2017
Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier.
Inadequate Encryption Strength
Dolibarr ERP/CRM 4.0.4 has XSS in doli/societe/list.php
CVE-2017-7887
6.1 - Medium
- May 10, 2017
Dolibarr ERP/CRM 4.0.4 has XSS in doli/societe/list.php via the sall parameter.
XSS
Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css.php
CVE-2017-7886
9.8 - Critical
- May 10, 2017
Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css.php via the lang parameter.
SQL Injection
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM 3.5.3
CVE-2014-3992
- July 11, 2014
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote authenticated users to execute arbitrary SQL commands via the (1) entity parameter in an update action to user/fiche.php or (2) sortorder parameter to user/group/index.php.
SQL Injection
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3
CVE-2014-3991
- July 11, 2014
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu, or (7) leftmenu parameter to index.php; the (8) dol_use_jmobile, (9) dol_optimize_smallscreen, (10) dol_no_mouse_hover, (11) dol_hide_topmenu, or (12) dol_hide_leftmenu parameter to user/index.php; the (13) dol_use_jmobile, (14) dol_optimize_smallscreen, (15) dol_no_mouse_hover, (16) dol_hide_topmenu, or (17) dol_hide_leftmenu parameter to user/logout.php; the (18) email, (19) firstname, (20) job, (21) lastname, or (22) login parameter in an update action in a "User Card" to user/fiche.php; or the (23) modulepart or (24) file parameter to viewimage.php.
XSS
Multiple directory traversal vulnerabilities in Dolibarr CMS 3.2.0 Alpha
CVE-2012-1226
- February 21, 2012
Multiple directory traversal vulnerabilities in Dolibarr CMS 3.2.0 Alpha allow remote attackers to read arbitrary files and possibly execute arbitrary code via a .. (dot dot) in the (1) file parameter to document.php or (2) backtopage parameter in a create action to comm/action/fiche.php.
Directory traversal
Multiple SQL injection vulnerabilities in Dolibarr CMS 3.2.0 Alpha and earlier
CVE-2012-1225
- February 21, 2012
Multiple SQL injection vulnerabilities in Dolibarr CMS 3.2.0 Alpha and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) memberslist parameter (aka Member List) in list.php or (2) rowid parameter to adherents/fiche.php.
SQL Injection
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 RC and probably earlier
CVE-2011-4814
- December 14, 2011
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) admin/boxes.php, (3) comm/clients.php, (4) commande/index.php; and the optioncss parameter to (5) admin/ihm.php and (6) user/home.php.
XSS
Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probably earlier
CVE-2011-4802
- December 14, 2011
Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) sortfield, (2) sortorder, and (3) sall parameters to user/index.php and (b) user/group/index.php; the id parameter to (4) info.php, (5) perms.php, (6) param_ihm.php, (7) note.php, and (8) fiche.php in user/; and (9) rowid parameter to admin/boxes.php.
SQL Injection
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0
CVE-2011-4329
- November 28, 2011
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the username parameter in a setup action to admin/company.php, or the PATH_INFO to (2) admin/security_other.php, (3) admin/events.php, or (4) admin/user.php.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Dolibarr Erpcrm or by Dolibarr? Click the Watch button to subscribe.
