Multiple vulnerabilities in DOLIBARR's ERP CMS
Description
Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters
viewstatut in /dolibarr/commande/list.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dolibarr ERP-CRM 9.0.1 is vulnerable to a pre-authentication SQL injection via the 'viewstatut' parameter in commande/list.php, allowing full database disclosure.
Root
Cause CVE-2024-5315 is an SQL injection vulnerability in Dolibarr ERP-CRM version 9.0.1 [1]. The flaw exists in the /dolibarr/commande/list.php endpoint, where the viewstatut parameter is not properly sanitized before being used in a database query [2]. This allows an attacker to inject arbitrary SQL commands [3].
Exploitation
The vulnerability is exploitable remotely without any prior authentication [3]. An attacker only needs to send a crafted HTTP request containing malicious SQL in the viewstatut parameter to the vulnerable endpoint [2]. No special privileges or network access restrictions are required beyond reachability of the web application [3].
Impact
Successful exploitation enables an attacker to read, modify, or delete arbitrary data from the underlying database [2]. This can lead to complete disclosure of all information stored in the database, including sensitive business data, user credentials, and financial records [3]. The CVSS v3.1 base score is 9.1, indicating critical severity due to high impact on confidentiality and integrity [3].
Mitigation
As of the publication date (2024-05-24), no official patch or mitigation has been released for this vulnerability [3]. Users of Dolibarr 9.0.1 are advised to monitor the vendor's repository for updates or apply input validation and prepared statements as a workaround [1][3].
- GitHub - Dolibarr/dolibarr: Dolibarr ERP CRM is a modern software package to manage your company or foundation's activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, ...). it's an open source Web application (written in PHP) designed for businesses of any sizes, foundations and freelancers.
- NVD - CVE-2024-5315
- Multiple vulnerabilities in DOLIBARR's ERP CMS
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | <= 9.0.1 | — |
Affected products
3- osv-coords2 versions
>= 9.0.1, < 18.0.5+ 1 more
- (no CPE)range: >= 9.0.1, < 18.0.5
- (no CPE)range: <= 9.0.1
- Dolibarr/ERP CMSv5Range: 9.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.