VYPR

Dolibarr

by Dolibarr

Source repositories

CVEs (90)

  • CVE-2014-3991Jul 11, 2014
    risk 0.03cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6)…

  • CVE-2012-1225Feb 21, 2012
    risk 0.03cvss epss 0.03

    Multiple SQL injection vulnerabilities in Dolibarr CMS 3.2.0 Alpha and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) memberslist parameter (aka Member List) in list.php or (2) rowid parameter to adherents/fiche.php.

  • CVE-2019-25452Feb 22, 2026
    risk 0.00cvss epss 0.00

    Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted POST requests with malicious SQL payloads in the elemid…

  • CVE-2019-25450Feb 22, 2026
    risk 0.00cvss epss 0.00

    Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and…

  • CVE-2021-47779Jan 15, 2026
    risk 0.00cvss epss 0.00

    Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an…

  • CVE-2024-55228Jan 27, 2025
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.

  • CVE-2024-55227Jan 27, 2025
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.

  • CVE-2021-3991Nov 15, 2024
    risk 0.00cvss epss 0.00

    An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions.

  • CVE-2024-31503Apr 16, 2024
    risk 0.00cvss epss 0.00

    Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover.

  • CVE-2024-29477Apr 3, 2024
    risk 0.00cvss epss 0.01

    Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the network to execute arbitrary code via a specifically crafted input.

  • CVE-2024-23817Jan 25, 2024
    risk 0.00cvss epss 0.01

    Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and…

  • CVE-2023-4198Nov 1, 2023
    risk 0.00cvss epss 0.01

    Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data

  • CVE-2023-4197Nov 1, 2023
    risk 0.00cvss epss 0.33

    Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

  • CVE-2023-5842Oct 30, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5.

  • CVE-2023-5323Oct 1, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0.

  • CVE-2023-38887Sep 20, 2023
    risk 0.00cvss epss 0.01

    File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions.

  • CVE-2023-38888Sep 20, 2023
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.

  • CVE-2023-33568Jun 13, 2023
    risk 0.00cvss epss 0.15

    An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.

  • CVE-2022-4093Nov 21, 2022
    risk 0.00cvss epss 0.04

    SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and…

  • CVE-2022-2060Jun 13, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.