Bitnami package
dolibarr
pkg:bitnami/dolibarr
Vulnerabilities (46)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-11825 | — | >= 10.0.6, <= 10.0.6 | — | Apr 16, 2020 | In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation. | ||
| CVE-2020-11823 | — | >= 10.0.6, <= 10.0.6 | — | Apr 16, 2020 | In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to stealing of the admin account. | ||
| CVE-2020-9016 | — | >= 11.0.0, <= 11.0.0 | — | Feb 16, 2020 | Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header. | ||
| CVE-2020-7994 | — | >= 10.0.6, <= 10.0.6 | — | Jan 26, 2020 | Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) name[constname] parameter to the /htdocs/admin/const.php?main | ||
| CVE-2020-7995 | — | >= 10.0.6, <= 10.0.6 | — | Jan 26, 2020 | The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts. | ||
| CVE-2020-7996 | — | >= 10.0.6, <= 10.0.6 | — | Jan 26, 2020 | htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header. |
- CVE-2020-11825Apr 16, 2020affected >= 10.0.6, <= 10.0.6
In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation.
- CVE-2020-11823Apr 16, 2020affected >= 10.0.6, <= 10.0.6
In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to stealing of the admin account.
- CVE-2020-9016Feb 16, 2020affected >= 11.0.0, <= 11.0.0
Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.
- CVE-2020-7994Jan 26, 2020affected >= 10.0.6, <= 10.0.6
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) name[constname] parameter to the /htdocs/admin/const.php?main
- CVE-2020-7995Jan 26, 2020affected >= 10.0.6, <= 10.0.6
The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts.
- CVE-2020-7996Jan 26, 2020affected >= 10.0.6, <= 10.0.6
htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header.
Page 3 of 3