CVE-2018-10094
Description
Dolibarr before 7.0.2 has an SQL injection vulnerability in integer parameters, allowing remote attackers to execute arbitrary SQL commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dolibarr before 7.0.2 has an SQL injection vulnerability in integer parameters, allowing remote attackers to execute arbitrary SQL commands.
Vulnerability
Dolibarr versions before 7.0.2 contain a SQL injection vulnerability in integer parameters that are not properly sanitized [2]. The database connector escapes quotes using real_escape_string(), but integer arguments are not enclosed in quotes, allowing injection without quote characters [3]. Affected versions are all prior to 7.0.2.
Exploitation
An unauthenticated attacker can send specially crafted HTTP requests with integer parameters containing SQL code [2]. The application includes a keyword filter that blocks certain SQL keywords (e.g., UNION), but this filter can be bypassed using URL encoding [3]. No additional privileges or user interaction are required.
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands against the database [2]. This can lead to unauthorized reading, modification, or deletion of data, potentially compromising the entire Dolibarr instance [3]. The CVSS score is 7.5 (high) [4].
Mitigation
The vulnerability is fixed in Dolibarr version 7.0.2 [2]. Users should upgrade to this version or later. No workaround is documented. The CVE is not listed in the KEV catalog [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | < 7.0.2 | 7.0.2 |
Affected products
1Patches
17ade4e37f24dFIX CVE-2018-10094
1 file changed · +1 −1
htdocs/adherents/list.php+1 −1 modified@@ -43,7 +43,7 @@ $result=restrictedArea($user,'adherent'); $filter=GETPOST("filter",'alpha'); -$statut=GETPOST("statut",'alpha'); +$statut=GETPOST("statut",'intcomma'); $search=GETPOST("search",'alpha'); $search_ref=GETPOST("search_ref",'alpha'); $search_lastname=GETPOST("search_lastname",'alpha');
Vulnerability mechanics
Root cause
"Missing input validation on an integer parameter allows SQL injection because the `'alpha'` filter does not restrict numeric content and `real_escape_string()` does not protect unquoted integer values."
Attack vector
An unauthenticated remote attacker sends a crafted HTTP GET request to `/dolibarr/adherents/list.php` with a URL-encoded SQL payload in the `statut` parameter [ref_id=2]. The application's `test_sql_and_script_inject()` function blocks keywords like `union` and `select` in plain text, but URL-encoding the payload bypasses those checks [ref_id=2]. Because the parameter is treated as an alpha string and inserted into an SQL query without numeric quoting, the attacker can execute arbitrary SQL commands [CWE-89].
Affected code
The vulnerable code path is in `htdocs/adherents/list.php`, where the `statut` parameter is fetched with the `'alpha'` filter type, which does not restrict numeric content. The underlying database connector in `mysqli.class.php` uses `real_escape_string()` to escape quotes, but integer parameters without quotes are not protected by that escaping [ref_id=2].
What the fix does
The patch changes the filter type for the `statut` parameter from `'alpha'` to `'intcomma'` in `htdocs/adherents/list.php` [patch_id=1701142]. The `'intcomma'` filter restricts input to integer values (optionally comma-separated), which prevents any SQL metacharacters or keywords from being injected. This closes the injection vector because the parameter can no longer contain arbitrary strings, only numeric data.
Preconditions
- networkThe attacker must be able to send HTTP GET requests to the Dolibarr application.
- authNo authentication is required; the vulnerable endpoint is accessible to unauthenticated users.
- inputThe `statut` parameter must be accepted by the application with the `'alpha'` filter (pre-patch).
Reproduction
Send a GET request to `/dolibarr/adherents/list.php?leftmenu=members&statut=%31%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%30%2c%31%2c%32%2c%76%65%72%73%69%6f%6e%28%29%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%23` (URL-encoded `1) union select 0,1,2,version(),...`). The response will include the database version in the rendered HTML, confirming SQL injection [ref_id=2].
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- www.exploit-db.com/exploits/44805/mitreexploitx_refsource_EXPLOIT-DB
- github.com/advisories/GHSA-57wj-22w9-wm9rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-10094ghsaADVISORY
- www.openwall.com/lists/oss-security/2018/05/21/1ghsamailing-listx_refsource_MLISTWEB
- github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLogghsax_refsource_CONFIRMWEB
- github.com/Dolibarr/dolibarr/commit/7ade4e37f24d6859987bb9f6232f604325633fddghsax_refsource_CONFIRMWEB
- sysdream.com/news/lab/2018-05-21-cve-2018-10094-dolibarr-sql-injection-vulnerabilityghsaWEB
- sysdream.com/news/lab/2018-05-21-cve-2018-10094-dolibarr-sql-injection-vulnerability/mitrex_refsource_MISC
- www.exploit-db.com/exploits/44805ghsaWEB
News mentions
0No linked articles in our index yet.