CVE-2021-36625
Description
An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter in an UPDATE statement.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dolibarr ERP/CRM 13.0.2 contains an SQL injection vulnerability in the country_id parameter during an UPDATE operation, fixed in version 14.0.0.
Vulnerability
An SQL injection vulnerability exists in Dolibarr ERP/CRM version 13.0.2 (and possibly earlier) via a POST request to the country_id parameter in an UPDATE statement [1][2]. The flaw occurs in the update method of the core classes where the country_id value is not properly sanitized before being inserted into the SQL query [2]. The fixed version is 14.0.0 [1].
Exploitation
An attacker must have authenticated access to the Dolibarr instance and send a crafted POST request to a vulnerable endpoint that uses the country_id parameter [1]. The attacker can inject arbitrary SQL commands by manipulating the country_id value in the UPDATE query [2].
Impact
Successful exploitation allows an authenticated attacker to modify, delete, or extract data from the database, potentially gaining unauthorized access to sensitive information [1][2][3].
Mitigation
Upgrade to Dolibarr 14.0.0 or later, which includes the fix (commit abb1ad6) [2]. No workaround is provided; users should apply the patch immediately [1].
- GitHub - Dolibarr/dolibarr: Dolibarr ERP CRM is a modern software package to manage your company or foundation's activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, ...). it's an open source Web application (written in PHP) designed for businesses of any sizes, foundations and freelancers.
- Fix sql injection · Dolibarr/dolibarr@abb1ad6
- NVD - CVE-2021-36625
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | < 14.0.0 | 14.0.0 |
Affected products
3- Dolibarr/ERP/CRMdescription
- osv-coords2 versions
>= 13.0.2, <= 13.0.2+ 1 more
- (no CPE)range: >= 13.0.2, <= 13.0.2
- (no CPE)range: < 14.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-vrgp-3ph6-2wwqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36625ghsaADVISORY
- github.com/Dolibarr/dolibarr/commit/abb1ad6bf0469eccd2b58beb20bdabc18fc36e22ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.