Multiple vulnerabilities in DOLIBARR's ERP CMS
Description
Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters sortorder y sortfield in /dolibarr/admin/dict.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Dolibarr ERP-CRM 9.0.1 allows remote unauthenticated attackers to retrieve all database contents via crafted sortorder and sortfield parameters.
Vulnerability
Overview
CVE-2024-5314 is a critical SQL injection vulnerability in Dolibarr ERP-CRM version 9.0.1. The flaw resides in the /dolibarr/admin/dict.php script, where the sortorder and sortfield parameters are not properly sanitized before being used in SQL queries. This allows an attacker to inject arbitrary SQL commands [1][2][3].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable endpoint. No prior authentication or special network position is required, making the attack surface broad. The parameters sortorder and sortfield are directly concatenated into SQL statements, enabling the attacker to manipulate the query logic [2][3].
Impact
Successful exploitation allows the attacker to retrieve all information stored in the database, including sensitive data such as user credentials, financial records, and business information. The CVSS v3.1 base score is 9.1 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating high confidentiality and integrity impact but no availability impact [3].
Mitigation
As of the advisory publication, no official patch or workaround has been released for this vulnerability. Users of Dolibarr ERP-CRM 9.0.1 are advised to restrict network access to the affected endpoint and monitor for updates from the vendor [3].
- GitHub - Dolibarr/dolibarr: Dolibarr ERP CRM is a modern software package to manage your company or foundation's activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, ...). it's an open source Web application (written in PHP) designed for businesses of any sizes, foundations and freelancers.
- NVD - CVE-2024-5314
- Multiple vulnerabilities in DOLIBARR's ERP CMS
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | <= 9.0.1 | — |
Affected products
3- osv-coords2 versions
>= 9.0.1, < 18.0.5+ 1 more
- (no CPE)range: >= 9.0.1, < 18.0.5
- (no CPE)range: <= 9.0.1
- Dolibarr/ERP CMSv5Range: 9.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.