Bitnami package
dolibarr
pkg:bitnami/dolibarr
Vulnerabilities (46)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-40871 | — | <= 15.0.3 | — | Oct 12, 2022 | Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval. | ||
| CVE-2022-2060 | — | < 16.0.0 | 16.0.0 | Jun 13, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0. | ||
| CVE-2022-30875 | — | >= 12.0.5, <= 12.0.5 | — | Jun 8, 2022 | Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS) via Sql Error Page. | ||
| CVE-2021-37517 | — | >= 13.0.2, <= 13.0.2 | — | Mar 31, 2022 | An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application allows email addresses as usernames, which can cause a Denial of Service. | ||
| CVE-2021-36625 | — | >= 13.0.2, <= 13.0.2 | — | Mar 31, 2022 | An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter in an UPDATE statement. | ||
| CVE-2022-0819 | — | < 15.0.1 | 15.0.1 | Mar 2, 2022 | Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1. | ||
| CVE-2022-0746 | — | < 16.0.0 | 16.0.0 | Feb 25, 2022 | Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0. | ||
| CVE-2022-0731 | — | < 16.0.0 | 16.0.0 | Feb 23, 2022 | Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0. | ||
| CVE-2022-0414 | — | < 16.0.0 | 16.0.0 | Jan 31, 2022 | Improper Validation of Specified Quantity in Input in Packagist dolibarr/dolibarr prior to 16.0. | ||
| CVE-2022-0224 | — | < 15.0.0 | 15.0.0 | Jan 14, 2022 | dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command | ||
| CVE-2022-0174 | — | < 15.0.0 | 15.0.0 | Jan 10, 2022 | Improper Validation of Specified Quantity in Input vulnerability in dolibarr dolibarr/dolibarr. | ||
| CVE-2022-22293 | — | >= 7.0.2, <= 7.0.2 | — | Jan 1, 2022 | admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter. | ||
| CVE-2021-33618 | — | >= 13.0.2, <= 13.0.2 | — | Nov 10, 2021 | Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of a BODY element to the user-management feature. | ||
| CVE-2021-33816 | — | >= 13.0.2, <= 13.0.2 | — | Nov 10, 2021 | The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked. | ||
| CVE-2021-25956 | — | >= 3.3.0-beta1, <= 3.3.0-beta1 | — | Aug 17, 2021 | In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. Th | ||
| CVE-2020-35136 | — | >= 12.0.3, <= 12.0.3 | — | Dec 23, 2020 | Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php. | ||
| CVE-2020-13828 | — | >= 11.0.4, <= 11.0.4 | — | Aug 31, 2020 | Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php w | ||
| CVE-2020-14475 | — | >= 11.0.3, <= 11.0.3 | — | Jun 19, 2020 | A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3 allows remote attackers to inject arbitrary web script or HTML into public/notice.php (related to transphrase and transkey). | ||
| CVE-2020-13239 | — | >= 11.0.4, <= 11.0.4 | — | May 20, 2020 | The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS. | ||
| CVE-2020-13240 | — | >= 11.0.4, <= 11.0.4 | — | May 20, 2020 | The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS. |
- CVE-2022-40871Oct 12, 2022affected <= 15.0.3
Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.
- CVE-2022-2060Jun 13, 2022affected < 16.0.0fixed 16.0.0
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.
- CVE-2022-30875Jun 8, 2022affected >= 12.0.5, <= 12.0.5
Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS) via Sql Error Page.
- CVE-2021-37517Mar 31, 2022affected >= 13.0.2, <= 13.0.2
An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application allows email addresses as usernames, which can cause a Denial of Service.
- CVE-2021-36625Mar 31, 2022affected >= 13.0.2, <= 13.0.2
An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter in an UPDATE statement.
- CVE-2022-0819Mar 2, 2022affected < 15.0.1fixed 15.0.1
Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.
- CVE-2022-0746Feb 25, 2022affected < 16.0.0fixed 16.0.0
Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0.
- CVE-2022-0731Feb 23, 2022affected < 16.0.0fixed 16.0.0
Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.
- CVE-2022-0414Jan 31, 2022affected < 16.0.0fixed 16.0.0
Improper Validation of Specified Quantity in Input in Packagist dolibarr/dolibarr prior to 16.0.
- CVE-2022-0224Jan 14, 2022affected < 15.0.0fixed 15.0.0
dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
- CVE-2022-0174Jan 10, 2022affected < 15.0.0fixed 15.0.0
Improper Validation of Specified Quantity in Input vulnerability in dolibarr dolibarr/dolibarr.
- CVE-2022-22293Jan 1, 2022affected >= 7.0.2, <= 7.0.2
admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter.
- CVE-2021-33618Nov 10, 2021affected >= 13.0.2, <= 13.0.2
Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of a BODY element to the user-management feature.
- CVE-2021-33816Nov 10, 2021affected >= 13.0.2, <= 13.0.2
The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.
- CVE-2021-25956Aug 17, 2021affected >= 3.3.0-beta1, <= 3.3.0-beta1
In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. Th
- CVE-2020-35136Dec 23, 2020affected >= 12.0.3, <= 12.0.3
Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php.
- CVE-2020-13828Aug 31, 2020affected >= 11.0.4, <= 11.0.4
Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php w
- CVE-2020-14475Jun 19, 2020affected >= 11.0.3, <= 11.0.3
A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3 allows remote attackers to inject arbitrary web script or HTML into public/notice.php (related to transphrase and transkey).
- CVE-2020-13239May 20, 2020affected >= 11.0.4, <= 11.0.4
The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS.
- CVE-2020-13240May 20, 2020affected >= 11.0.4, <= 11.0.4
The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.
Page 2 of 3