VYPR

Vendor CVEs

Dolibarr

All CVEs

90 total · sorted by risk
  • CVE-2024-23817Jan 25, 2024
    risk 0.00cvss epss 0.01

    Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and…

  • CVE-2023-4198Nov 1, 2023
    risk 0.00cvss epss 0.01

    Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data

  • CVE-2023-4197Nov 1, 2023
    risk 0.00cvss epss 0.33

    Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

  • CVE-2023-5842Oct 30, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5.

  • CVE-2023-5323Oct 1, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0.

  • CVE-2023-38887Sep 20, 2023
    risk 0.00cvss epss 0.01

    File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions.

  • CVE-2023-38888Sep 20, 2023
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.

  • CVE-2023-33568Jun 13, 2023
    risk 0.00cvss epss 0.15

    An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.

  • CVE-2022-4093Nov 21, 2022
    risk 0.00cvss epss 0.04

    SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and…

  • CVE-2022-2060Jun 13, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.

  • CVE-2022-30875Jun 8, 2022
    risk 0.00cvss epss 0.01

    Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS) via Sql Error Page.

  • CVE-2022-0819Mar 2, 2022
    risk 0.00cvss epss 0.44

    Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.

  • CVE-2022-0746Feb 25, 2022
    risk 0.00cvss epss 0.01

    Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0.

  • CVE-2022-0731Feb 23, 2022
    risk 0.00cvss epss 0.01

    Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.

  • CVE-2022-0414Jan 31, 2022
    risk 0.00cvss epss 0.01

    Improper Validation of Specified Quantity in Input in Packagist dolibarr/dolibarr prior to 16.0.

  • CVE-2022-0224Jan 14, 2022
    risk 0.00cvss epss 0.02

    dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command

  • CVE-2022-0174Jan 10, 2022
    risk 0.00cvss epss 0.01

    Improper Validation of Specified Quantity in Input vulnerability in dolibarr dolibarr/dolibarr.

  • CVE-2021-25956Aug 17, 2021
    risk 0.00cvss epss 0.01

    In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of…

  • CVE-2021-25957Aug 17, 2021
    risk 0.00cvss epss 0.01

    In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for…

  • CVE-2021-25955Aug 15, 2021
    risk 0.00cvss epss 0.01

    In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are…

  • CVE-2021-25954Aug 9, 2021
    risk 0.00cvss epss 0.01

    In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at…

  • CVE-2020-35136Dec 23, 2020
    risk 0.00cvss epss 0.06

    Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php.

  • CVE-2020-12669May 6, 2020
    risk 0.00cvss epss 0.02

    core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter.

  • CVE-2013-2093Nov 20, 2019
    risk 0.00cvss epss 0.05

    Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.

  • CVE-2013-2092Nov 20, 2019
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.

  • CVE-2013-2091Nov 20, 2019
    risk 0.00cvss epss 0.03

    SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.

  • CVE-2019-11199Jul 29, 2019
    risk 0.00cvss epss 0.01

    Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. These vulnerabilities allowed the execution of a JavaScript payload each time any regular user or administrative user clicked on the malicious link hosted on the same domain. The vulnerabilities could be…

  • CVE-2018-16809Mar 7, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in Dolibarr through 7.0.0. expensereport/card.php in the expense reports module allows SQL injection via the integer parameters qty and value_unit.

  • CVE-2018-16808Mar 7, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in Dolibarr through 7.0.0. There is Stored XSS in expensereport/card.php in the expense reports plugin via the comments parameter, or a public or private note.

  • CVE-2018-19995Jan 3, 2019
    risk 0.00cvss epss 0.01

    A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to user/card.php.

  • CVE-2018-19998Jan 3, 2019
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the employee parameter.

  • CVE-2018-19992Jan 3, 2019
    risk 0.00cvss epss 0.01

    A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to adherents/type.php.

  • CVE-2018-19994Jan 3, 2019
    risk 0.00cvss epss 0.02

    An error-based SQL injection vulnerability in product/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the desiredstock parameter.

  • CVE-2018-19993Jan 3, 2019
    risk 0.00cvss epss 0.01

    A reflected cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote attackers to inject arbitrary web script or HTML via the transphrase parameter to public/notice.php.

  • CVE-2015-3935Jun 10, 2015
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5 and 3.6 allow remote attackers to inject arbitrary web script or HTML via the Business Search (search_nom) field to (1) htdocs/societe/societe.php or (2) htdocs/societe/admin/societe.php.

  • CVE-2014-7137Nov 21, 2014
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to…

  • CVE-2012-1226Feb 21, 2012
    risk 0.00cvss epss 0.25

    Multiple directory traversal vulnerabilities in Dolibarr CMS 3.2.0 Alpha allow remote attackers to read arbitrary files and possibly execute arbitrary code via a .. (dot dot) in the (1) file parameter to document.php or (2) backtopage parameter in a create action to…

  • CVE-2011-4814Dec 14, 2011
    risk 0.00cvss epss 0.06

    Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) admin/boxes.php, (3) comm/clients.php, (4) commande/index.php; and the optioncss…

  • CVE-2011-4802Dec 14, 2011
    risk 0.00cvss epss 0.06

    Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) sortfield, (2) sortorder, and (3) sall parameters to user/index.php and (b) user/group/index.php; the id parameter to…

  • CVE-2011-4329Nov 28, 2011
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the username parameter in a setup action to admin/company.php, or the PATH_INFO to (2) admin/security_other.php, (3) admin/events.php, or…

Page 2 of 2