Dolibarr
by Dolibarr
Source repositories
CVEs (90)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-30875 | 0.00 | — | 0.01 | Jun 8, 2022 | Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS) via Sql Error Page. | |||
| CVE-2022-0819 | 0.00 | — | 0.44 | Mar 2, 2022 | Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1. | |||
| CVE-2022-0746 | 0.00 | — | 0.01 | Feb 25, 2022 | Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0. | |||
| CVE-2022-0731 | 0.00 | — | 0.01 | Feb 23, 2022 | Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0. | |||
| CVE-2022-0414 | 0.00 | — | 0.01 | Jan 31, 2022 | Improper Validation of Specified Quantity in Input in Packagist dolibarr/dolibarr prior to 16.0. | |||
| CVE-2022-0224 | 0.00 | — | 0.02 | Jan 14, 2022 | dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command | |||
| CVE-2022-0174 | 0.00 | — | 0.01 | Jan 10, 2022 | Improper Validation of Specified Quantity in Input vulnerability in dolibarr dolibarr/dolibarr. | |||
| CVE-2021-25956 | 0.00 | — | 0.01 | Aug 17, 2021 | In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of… | |||
| CVE-2021-25957 | 0.00 | — | 0.01 | Aug 17, 2021 | In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for… | |||
| CVE-2021-25955 | 0.00 | — | 0.01 | Aug 15, 2021 | In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are… | |||
| CVE-2021-25954 | 0.00 | — | 0.01 | Aug 9, 2021 | In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at… | |||
| CVE-2020-35136 | 0.00 | — | 0.06 | Dec 23, 2020 | Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php. | |||
| CVE-2020-12669 | 0.00 | — | 0.02 | May 6, 2020 | core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter. | |||
| CVE-2013-2093 | 0.00 | — | 0.05 | Nov 20, 2019 | Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands. | |||
| CVE-2013-2092 | 0.00 | — | 0.01 | Nov 20, 2019 | Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php. | |||
| CVE-2013-2091 | 0.00 | — | 0.03 | Nov 20, 2019 | SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php. | |||
| CVE-2019-11199 | 0.00 | — | 0.01 | Jul 29, 2019 | Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. These vulnerabilities allowed the execution of a JavaScript payload each time any regular user or administrative user clicked on the malicious link hosted on the same domain. The vulnerabilities could be… | |||
| CVE-2018-16809 | 0.00 | — | 0.02 | Mar 7, 2019 | An issue was discovered in Dolibarr through 7.0.0. expensereport/card.php in the expense reports module allows SQL injection via the integer parameters qty and value_unit. | |||
| CVE-2018-16808 | 0.00 | — | 0.01 | Mar 7, 2019 | An issue was discovered in Dolibarr through 7.0.0. There is Stored XSS in expensereport/card.php in the expense reports plugin via the comments parameter, or a public or private note. | |||
| CVE-2018-19995 | 0.00 | — | 0.01 | Jan 3, 2019 | A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to user/card.php. |
- CVE-2022-30875Jun 8, 2022risk 0.00cvss —epss 0.01
Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS) via Sql Error Page.
- CVE-2022-0819Mar 2, 2022risk 0.00cvss —epss 0.44
Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.
- CVE-2022-0746Feb 25, 2022risk 0.00cvss —epss 0.01
Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0.
- CVE-2022-0731Feb 23, 2022risk 0.00cvss —epss 0.01
Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.
- CVE-2022-0414Jan 31, 2022risk 0.00cvss —epss 0.01
Improper Validation of Specified Quantity in Input in Packagist dolibarr/dolibarr prior to 16.0.
- CVE-2022-0224Jan 14, 2022risk 0.00cvss —epss 0.02
dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
- CVE-2022-0174Jan 10, 2022risk 0.00cvss —epss 0.01
Improper Validation of Specified Quantity in Input vulnerability in dolibarr dolibarr/dolibarr.
- CVE-2021-25956Aug 17, 2021risk 0.00cvss —epss 0.01
In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of…
- CVE-2021-25957Aug 17, 2021risk 0.00cvss —epss 0.01
In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for…
- CVE-2021-25955Aug 15, 2021risk 0.00cvss —epss 0.01
In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are…
- CVE-2021-25954Aug 9, 2021risk 0.00cvss —epss 0.01
In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at…
- CVE-2020-35136Dec 23, 2020risk 0.00cvss —epss 0.06
Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php.
- CVE-2020-12669May 6, 2020risk 0.00cvss —epss 0.02
core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter.
- CVE-2013-2093Nov 20, 2019risk 0.00cvss —epss 0.05
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
- CVE-2013-2092Nov 20, 2019risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
- CVE-2013-2091Nov 20, 2019risk 0.00cvss —epss 0.03
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.
- CVE-2019-11199Jul 29, 2019risk 0.00cvss —epss 0.01
Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. These vulnerabilities allowed the execution of a JavaScript payload each time any regular user or administrative user clicked on the malicious link hosted on the same domain. The vulnerabilities could be…
- CVE-2018-16809Mar 7, 2019risk 0.00cvss —epss 0.02
An issue was discovered in Dolibarr through 7.0.0. expensereport/card.php in the expense reports module allows SQL injection via the integer parameters qty and value_unit.
- CVE-2018-16808Mar 7, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Dolibarr through 7.0.0. There is Stored XSS in expensereport/card.php in the expense reports plugin via the comments parameter, or a public or private note.
- CVE-2018-19995Jan 3, 2019risk 0.00cvss —epss 0.01
A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to user/card.php.
Page 4 of 5