Dolibarr

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package

CVE-2024-23817 6.1 - Medium - January 25, 2024

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr App Home page HTML code. This behavior can be exploited to perform various attacks like Cross-Site Scripting (XSS). To remediate the issue, validate and sanitize all user-supplied input, especially within HTML attributes, to prevent HTML injection attacks; and implement proper output encoding when rendering user-provided data to ensure it is treated as plain text rather than executable HTML.

XSS

Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.

CVE-2022-2060 5.4 - Medium - June 13, 2022

Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.

XSS

Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS)

CVE-2022-30875 6.1 - Medium - June 08, 2022

Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS) via Sql Error Page.

XSS

Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.

CVE-2022-0819 8.8 - High - March 02, 2022

Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.

Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0.

CVE-2022-0746 4.3 - Medium - February 25, 2022

Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0.

Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.

CVE-2022-0731 6.5 - Medium - February 23, 2022

Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.

Insecure Direct Object Reference / IDOR

Improper Validation of Specified Quantity in Input in Packagist dolibarr/dolibarr prior to 16.0.

CVE-2022-0414 4.3 - Medium - January 31, 2022

Improper Validation of Specified Quantity in Input in Packagist dolibarr/dolibarr prior to 16.0.

Improper Validation of Specified Quantity in Input

dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command

CVE-2022-0224 9.8 - Critical - January 14, 2022

dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command

SQL Injection

Improper Validation of Specified Quantity in Input vulnerability in dolibarr dolibarr/dolibarr.

CVE-2022-0174 4.3 - Medium - January 10, 2022

Improper Validation of Specified Quantity in Input vulnerability in dolibarr dolibarr/dolibarr.

Improper Validation of Specified Quantity in Input

admin/limits.php in Dolibarr 7.0.2

CVE-2022-22293 5.4 - Medium - January 02, 2022

admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter.

XSS

A Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 14.0.3 via the ticket creation flow

CVE-2021-42220 5.4 - Medium - December 15, 2021

A Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 14.0.3 via the ticket creation flow. Exploitation requires that an admin copies the payload into a box.

XSS

Dolibarr ERP and CRM 13.0.2

CVE-2021-33618 6.1 - Medium - November 10, 2021

Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of a BODY element to the user-management feature.

XSS

The website builder module in Dolibarr 13.0.2

CVE-2021-33816 9.8 - Critical - November 10, 2021

The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.

Code Injection

In Dolibarr application

CVE-2021-25956 7.2 - High - August 17, 2021

In Dolibarr application, v3.3.beta1_20121221 to v13.0.2 have Modify access for admin level users to change other users details but fails to validate already existing Login name, while renaming the user Login. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.

In Dolibarr application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality

CVE-2021-25957 8.8 - High - August 17, 2021

In Dolibarr application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password.

Weak Password Recovery Mechanism for Forgotten Password

In Dolibarr ERP CRM, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability

CVE-2021-25955 9 - Critical - August 15, 2021

In Dolibarr ERP CRM, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Private Note field at /adherents/note.php?id=1 endpoint. These scripts are executed in a victims browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.

XSS

In Dolibarr application, 2.8.1 to 13.0.4 dont restrict or incorrectly restricts access to a resource from an unauthorized actor

CVE-2021-25954 4.3 - Medium - August 09, 2021

In Dolibarr application, 2.8.1 to 13.0.4 dont restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at /adherents/note.php?id=1 endpoint.

AuthZ

Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution

CVE-2020-14209 8.8 - High - September 02, 2020

Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism).

Unrestricted File Upload

Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities

CVE-2020-13828 5.4 - Medium - August 31, 2020

Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter.

XSS

Dolibarr CRM before 11.0.5 allows privilege escalation

CVE-2020-14201 6.5 - Medium - August 21, 2020

Dolibarr CRM before 11.0.5 allows privilege escalation. This could allow remote authenticated attackers to upload arbitrary files via societe/document.php in which "disabled" is changed to "enabled" in the HTML source code.

Improper Privilege Management

A SQL injection vulnerability in accountancy/customer/card.php in Dolibarr 11.0.3

CVE-2020-14443 8.8 - High - June 18, 2020

A SQL injection vulnerability in accountancy/customer/card.php in Dolibarr 11.0.3 allows remote authenticated users to execute arbitrary SQL commands via the id parameter.

SQL Injection

The DMS/ECM module in Dolibarr 11.0.4

CVE-2020-13240 5.4 - Medium - May 20, 2020

The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.

Exposure of Resource to Wrong Sphere

The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed

CVE-2020-13239 5.4 - Medium - May 20, 2020

The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS.

XSS

Dolibarr before 11.0.4

CVE-2020-13094 5.4 - Medium - May 18, 2020

Dolibarr before 11.0.4 allows XSS.

XSS

core/get_menudiv.php in Dolibarr before 11.0.4

CVE-2020-12669 8.8 - High - May 06, 2020

core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter.

AuthZ

In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks

CVE-2020-11825 8.8 - High - April 16, 2020

In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation.

Session Riding

In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page

CVE-2020-11823 5.4 - Medium - April 16, 2020

In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to stealing of the admin account.

XSS

Dolibarr ERP/CRM 3.0 through 10.0.3

CVE-2019-19212 9.8 - Critical - March 16, 2020

Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen).

XSS

Dolibarr ERP/CRM before 10.0.3 has an Insufficient Filtering issue

CVE-2019-19211 6.1 - Medium - March 16, 2020

Dolibarr ERP/CRM before 10.0.3 has an Insufficient Filtering issue that can lead to user/card.php XSS.

XSS

Dolibarr ERP/CRM before 10.0.3

CVE-2019-19209 7.5 - High - March 16, 2020

Dolibarr ERP/CRM before 10.0.3 allows SQL Injection.

SQL Injection

Dolibarr ERP/CRM before 10.0.3

CVE-2019-19210 5.4 - Medium - March 16, 2020

Dolibarr ERP/CRM before 10.0.3 allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files.

XSS

Dolibarr 11.0 allows XSS

CVE-2020-9016 5.4 - Medium - February 16, 2020

Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.

XSS

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6

CVE-2020-7994 6.1 - Medium - January 26, 2020

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) name[constname] parameter to the /htdocs/admin/const.php?mainmenu=home page; the (3) note[note] parameter to the /htdocs/admin/dict.php?id=10 page; the (4) zip[MAIN_INFO_SOCIETE_ZIP] or email[mail] parameter to the /htdocs/admin/company.php page; the (5) url[defaulturl], field[defaultkey], or value[defaultvalue] parameter to the /htdocs/admin/defaultvalues.php page; the (6) key[transkey] or key[transvalue] parameter to the /htdocs/admin/translation.php page; or the (7) [main_motd] or [main_home] parameter to the /htdocs/admin/ihm.php page.

XSS

htdocs/user/passwordforgotten.php in Dolibarr 10.0.6

CVE-2020-7996 6.1 - Medium - January 26, 2020

htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header.

XSS

The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6

CVE-2020-7995 9.8 - Critical - January 26, 2020

The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts.

Improper Restriction of Excessive Authentication Attempts

Dolibarr CRM/ERP 10.0.3

CVE-2019-19206 5.4 - Medium - November 26, 2019

Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to JavaScript execution in an SVG image for a profile picture.

XSS

An issue was discovered in Dolibarr 10.0.2

CVE-2019-17578 5.4 - Medium - October 16, 2019

An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Sender email for automatic emails (default value in php.ini: Undefined)" field.

XSS

An issue was discovered in Dolibarr 10.0.2

CVE-2019-17577 5.4 - Medium - October 16, 2019

An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Email used for error returns emails (fields 'Errors-To' in emails sent)" field.

XSS

An issue was discovered in Dolibarr 10.0.2

CVE-2019-17576 5.4 - Medium - October 16, 2019

An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the /admin/mails.php?action=edit URI via the "Send all emails to (instead of real recipients, for test purposes)" field.

XSS

There is HTML Injection in the Note field in Dolibarr ERP/CRM 10.0.2

CVE-2019-17223 6.1 - Medium - October 15, 2019

There is HTML Injection in the Note field in Dolibarr ERP/CRM 10.0.2 via user/note.php.

XSS

Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php

CVE-2019-16685 5.4 - Medium - September 27, 2019

Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.

XSS

Dolibarr 9.0.5 has stored XSS in a User Note section to note.php

CVE-2019-16686 5.4 - Medium - September 27, 2019

Dolibarr 9.0.5 has stored XSS in a User Note section to note.php. A user with no privileges can inject script to attack the admin.

XSS

Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php

CVE-2019-16687 5.4 - Medium - September 27, 2019

Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.

XSS

Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php

CVE-2019-16688 5.4 - Medium - September 27, 2019

Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php. A user with no privileges can inject script to attack the admin. (This stored XSS can affect all types of user privilege from Admin to users with no permissions.)

XSS

In htdocs/societe/card.php in Dolibarr 10.0.1

CVE-2019-16197 6.1 - Medium - September 16, 2019

In htdocs/societe/card.php in Dolibarr 10.0.1, the value of the User-Agent HTTP header is copied into the HTML document as plain text between tags, leading to XSS.

XSS

An issue was discovered in Dolibarr 11.0.0-alpha

CVE-2019-15062 8 - High - August 14, 2019

An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)

Session Riding

Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF)

CVE-2019-1010054 8.8 - High - July 18, 2019

Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access malitious urls.

Session Riding

Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS)

CVE-2019-1010016 6.1 - Medium - July 15, 2019

Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing. The component is: htdocs/product/stats/card.php. The attack vector is: Victim must click a specially crafted link sent by the attacker.

XSS

An issue was discovered in Dolibarr through 7.0.0

CVE-2018-16808 6.1 - Medium - March 07, 2019

An issue was discovered in Dolibarr through 7.0.0. There is Stored XSS in expensereport/card.php in the expense reports plugin via the comments parameter, or a public or private note.

XSS

An issue was discovered in Dolibarr through 7.0.0

CVE-2018-16809 9.8 - Critical - March 07, 2019

An issue was discovered in Dolibarr through 7.0.0. expensereport/card.php in the expense reports module allows SQL injection via the integer parameters qty and value_unit.

SQL Injection

SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2

CVE-2018-19998 8.8 - High - January 03, 2019

SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the employee parameter.

SQL Injection

A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2

CVE-2018-19992 5.4 - Medium - January 03, 2019

A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to adherents/type.php.

XSS

A reflected cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2

CVE-2018-19993 6.1 - Medium - January 03, 2019

A reflected cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote attackers to inject arbitrary web script or HTML via the transphrase parameter to public/notice.php.

XSS

An error-based SQL injection vulnerability in product/card.php in Dolibarr version 8.0.2

CVE-2018-19994 8.8 - High - January 03, 2019

An error-based SQL injection vulnerability in product/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the desiredstock parameter.

SQL Injection

A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2

CVE-2018-19995 5.4 - Medium - January 03, 2019

A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to user/card.php.

XSS

Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexport= XSS.

CVE-2018-19799 6.1 - Medium - December 26, 2018

Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexport= XSS.

XSS

SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3

CVE-2018-13447 9.8 - Critical - July 08, 2018

SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut parameter.

SQL Injection

Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2

CVE-2018-10095 6.1 - Medium - May 22, 2018

Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php.

XSS

SQL injection vulnerability in Dolibarr before 7.0.2

CVE-2018-10094 9.8 - Critical - May 22, 2018

SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes.

SQL Injection

The admin panel in Dolibarr before 7.0.2 might

CVE-2018-10092 8 - High - May 22, 2018

The admin panel in Dolibarr before 7.0.2 might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file uploads.

AuthZ

SQL Injection vulnerability in Dolibarr before version 7.0.2

CVE-2018-9019 9.8 - Critical - May 22, 2018

SQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy/admin/journals_list.php, /admin/dict.php, /admin/mails_templates.php, or /admin/website.php.

SQL Injection