Bitnami package
dolibarr
pkg:bitnami/dolibarr
Vulnerabilities (46)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-55228 | — | >= 21.0.0-beta, < 21.0.0 | 21.0.0 | Jan 27, 2025 | A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter. | ||
| CVE-2024-55227 | — | >= 21.0.0-beta, < 21.0.0 | 21.0.0 | Jan 27, 2025 | A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter. | ||
| CVE-2021-3991 | — | < 20.0.2 | 20.0.2 | Nov 15, 2024 | An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions. | ||
| CVE-2024-37821 | — | < 19.0.2 | 19.0.2 | Jun 18, 2024 | An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file. | ||
| CVE-2024-5315 | — | >= 9.0.1, < 18.0.5 | 18.0.5 | May 24, 2024 | Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters viewst | ||
| CVE-2024-5314 | — | >= 9.0.1, < 18.0.5 | 18.0.5 | May 24, 2024 | Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters sortorde | ||
| CVE-2024-31503 | — | < 19.0.1 | 19.0.1 | Apr 16, 2024 | Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover. | ||
| CVE-2024-29477 | — | < 19.0.1 | 19.0.1 | Apr 3, 2024 | Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the network to execute arbitrary code via a specifically crafted input. | ||
| CVE-2024-23817 | — | >= 18.0.4, < 18.0.5 | 18.0.5 | Jan 25, 2024 | Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and m | ||
| CVE-2023-4198 | — | <= 17.0.3 | — | Nov 1, 2023 | Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data | ||
| CVE-2023-4197 | — | <= 18.0.1 | — | Nov 1, 2023 | Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code. | ||
| CVE-2023-5842 | — | < 16.0.5 | 16.0.5 | Oct 30, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5. | ||
| CVE-2023-5323 | — | < 18.0.0 | 18.0.0 | Oct 1, 2023 | Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0. | ||
| CVE-2023-38888 | — | <= 17.0.1 | — | Sep 20, 2023 | Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject. | ||
| CVE-2023-38887 | — | <= 17.0.1 | — | Sep 20, 2023 | File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions. | ||
| CVE-2023-38886 | — | <= 17.0.1 | — | Sep 20, 2023 | An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script. | ||
| CVE-2023-33568 | — | >= 16.0.0, < 16.0.5 | 16.0.5 | Jun 13, 2023 | An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists. | ||
| CVE-2023-30253 | — | < 17.0.1 | 17.0.1 | May 29, 2023 | Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data. | ||
| CVE-2022-4093 | — | >= 16.0.1, <= 16.0.1 | — | Nov 21, 2022 | SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regul | ||
| CVE-2022-43138 | — | < 14.0.1 | 14.0.1 | Nov 17, 2022 | Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API. |
- CVE-2024-55228Jan 27, 2025affected >= 21.0.0-beta, < 21.0.0fixed 21.0.0
A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.
- CVE-2024-55227Jan 27, 2025affected >= 21.0.0-beta, < 21.0.0fixed 21.0.0
A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.
- CVE-2021-3991Nov 15, 2024affected < 20.0.2fixed 20.0.2
An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions.
- CVE-2024-37821Jun 18, 2024affected < 19.0.2fixed 19.0.2
An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file.
- CVE-2024-5315May 24, 2024affected >= 9.0.1, < 18.0.5fixed 18.0.5
Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters viewst
- CVE-2024-5314May 24, 2024affected >= 9.0.1, < 18.0.5fixed 18.0.5
Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters sortorde
- CVE-2024-31503Apr 16, 2024affected < 19.0.1fixed 19.0.1
Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover.
- CVE-2024-29477Apr 3, 2024affected < 19.0.1fixed 19.0.1
Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the network to execute arbitrary code via a specifically crafted input.
- CVE-2024-23817Jan 25, 2024affected >= 18.0.4, < 18.0.5fixed 18.0.5
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and m
- CVE-2023-4198Nov 1, 2023affected <= 17.0.3
Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data
- CVE-2023-4197Nov 1, 2023affected <= 18.0.1
Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.
- CVE-2023-5842Oct 30, 2023affected < 16.0.5fixed 16.0.5
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5.
- CVE-2023-5323Oct 1, 2023affected < 18.0.0fixed 18.0.0
Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0.
- CVE-2023-38888Sep 20, 2023affected <= 17.0.1
Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.
- CVE-2023-38887Sep 20, 2023affected <= 17.0.1
File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions.
- CVE-2023-38886Sep 20, 2023affected <= 17.0.1
An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script.
- CVE-2023-33568Jun 13, 2023affected >= 16.0.0, < 16.0.5fixed 16.0.5
An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.
- CVE-2023-30253May 29, 2023affected < 17.0.1fixed 17.0.1
Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.
- CVE-2022-4093Nov 21, 2022affected >= 16.0.1, <= 16.0.1
SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regul
- CVE-2022-43138Nov 17, 2022affected < 14.0.1fixed 14.0.1
Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API.
Page 1 of 3