Vendor CVEs
Dolibarr
All CVEs
90 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-23817 | 0.00 | — | 0.01 | Jan 25, 2024 | Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and… | |||
| CVE-2023-4198 | 0.00 | — | 0.01 | Nov 1, 2023 | Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data | |||
| CVE-2023-4197 | 0.00 | — | 0.33 | Nov 1, 2023 | Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code. | |||
| CVE-2023-5842 | 0.00 | — | 0.00 | Oct 30, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5. | |||
| CVE-2023-5323 | 0.00 | — | 0.00 | Oct 1, 2023 | Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0. | |||
| CVE-2023-38887 | 0.00 | — | 0.01 | Sep 20, 2023 | File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions. | |||
| CVE-2023-38888 | 0.00 | — | 0.01 | Sep 20, 2023 | Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject. | |||
| CVE-2023-33568 | 0.00 | — | 0.15 | Jun 13, 2023 | An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists. | |||
| CVE-2022-4093 | 0.00 | — | 0.04 | Nov 21, 2022 | SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and… | |||
| CVE-2022-2060 | 0.00 | — | 0.01 | Jun 13, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0. | |||
| CVE-2022-30875 | 0.00 | — | 0.01 | Jun 8, 2022 | Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS) via Sql Error Page. | |||
| CVE-2022-0819 | 0.00 | — | 0.44 | Mar 2, 2022 | Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1. | |||
| CVE-2022-0746 | 0.00 | — | 0.01 | Feb 25, 2022 | Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0. | |||
| CVE-2022-0731 | 0.00 | — | 0.01 | Feb 23, 2022 | Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0. | |||
| CVE-2022-0414 | 0.00 | — | 0.01 | Jan 31, 2022 | Improper Validation of Specified Quantity in Input in Packagist dolibarr/dolibarr prior to 16.0. | |||
| CVE-2022-0224 | 0.00 | — | 0.02 | Jan 14, 2022 | dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command | |||
| CVE-2022-0174 | 0.00 | — | 0.01 | Jan 10, 2022 | Improper Validation of Specified Quantity in Input vulnerability in dolibarr dolibarr/dolibarr. | |||
| CVE-2021-25956 | 0.00 | — | 0.01 | Aug 17, 2021 | In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of… | |||
| CVE-2021-25957 | 0.00 | — | 0.01 | Aug 17, 2021 | In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for… | |||
| CVE-2021-25955 | 0.00 | — | 0.01 | Aug 15, 2021 | In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are… | |||
| CVE-2021-25954 | 0.00 | — | 0.01 | Aug 9, 2021 | In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at… | |||
| CVE-2020-35136 | 0.00 | — | 0.06 | Dec 23, 2020 | Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php. | |||
| CVE-2020-12669 | 0.00 | — | 0.02 | May 6, 2020 | core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter. | |||
| CVE-2013-2093 | 0.00 | — | 0.05 | Nov 20, 2019 | Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands. | |||
| CVE-2013-2092 | 0.00 | — | 0.01 | Nov 20, 2019 | Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php. | |||
| CVE-2013-2091 | 0.00 | — | 0.03 | Nov 20, 2019 | SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php. | |||
| CVE-2019-11199 | 0.00 | — | 0.01 | Jul 29, 2019 | Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. These vulnerabilities allowed the execution of a JavaScript payload each time any regular user or administrative user clicked on the malicious link hosted on the same domain. The vulnerabilities could be… | |||
| CVE-2018-16809 | 0.00 | — | 0.02 | Mar 7, 2019 | An issue was discovered in Dolibarr through 7.0.0. expensereport/card.php in the expense reports module allows SQL injection via the integer parameters qty and value_unit. | |||
| CVE-2018-16808 | 0.00 | — | 0.01 | Mar 7, 2019 | An issue was discovered in Dolibarr through 7.0.0. There is Stored XSS in expensereport/card.php in the expense reports plugin via the comments parameter, or a public or private note. | |||
| CVE-2018-19995 | 0.00 | — | 0.01 | Jan 3, 2019 | A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to user/card.php. | |||
| CVE-2018-19998 | 0.00 | — | 0.02 | Jan 3, 2019 | SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the employee parameter. | |||
| CVE-2018-19992 | 0.00 | — | 0.01 | Jan 3, 2019 | A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to adherents/type.php. | |||
| CVE-2018-19994 | 0.00 | — | 0.02 | Jan 3, 2019 | An error-based SQL injection vulnerability in product/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the desiredstock parameter. | |||
| CVE-2018-19993 | 0.00 | — | 0.01 | Jan 3, 2019 | A reflected cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote attackers to inject arbitrary web script or HTML via the transphrase parameter to public/notice.php. | |||
| CVE-2015-3935 | 0.00 | — | 0.02 | Jun 10, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5 and 3.6 allow remote attackers to inject arbitrary web script or HTML via the Business Search (search_nom) field to (1) htdocs/societe/societe.php or (2) htdocs/societe/admin/societe.php. | |||
| CVE-2014-7137 | 0.00 | — | 0.02 | Nov 21, 2014 | Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to… | |||
| CVE-2012-1226 | 0.00 | — | 0.25 | Feb 21, 2012 | Multiple directory traversal vulnerabilities in Dolibarr CMS 3.2.0 Alpha allow remote attackers to read arbitrary files and possibly execute arbitrary code via a .. (dot dot) in the (1) file parameter to document.php or (2) backtopage parameter in a create action to… | |||
| CVE-2011-4814 | 0.00 | — | 0.06 | Dec 14, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) admin/boxes.php, (3) comm/clients.php, (4) commande/index.php; and the optioncss… | |||
| CVE-2011-4802 | 0.00 | — | 0.06 | Dec 14, 2011 | Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) sortfield, (2) sortorder, and (3) sall parameters to user/index.php and (b) user/group/index.php; the id parameter to… | |||
| CVE-2011-4329 | 0.00 | — | 0.02 | Nov 28, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the username parameter in a setup action to admin/company.php, or the PATH_INFO to (2) admin/security_other.php, (3) admin/events.php, or… |
- CVE-2024-23817Jan 25, 2024risk 0.00cvss —epss 0.01
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and…
- CVE-2023-4198Nov 1, 2023risk 0.00cvss —epss 0.01
Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data
- CVE-2023-4197Nov 1, 2023risk 0.00cvss —epss 0.33
Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.
- CVE-2023-5842Oct 30, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5.
- CVE-2023-5323Oct 1, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0.
- CVE-2023-38887Sep 20, 2023risk 0.00cvss —epss 0.01
File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions.
- CVE-2023-38888Sep 20, 2023risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.
- CVE-2023-33568Jun 13, 2023risk 0.00cvss —epss 0.15
An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.
- CVE-2022-4093Nov 21, 2022risk 0.00cvss —epss 0.04
SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and…
- CVE-2022-2060Jun 13, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.
- CVE-2022-30875Jun 8, 2022risk 0.00cvss —epss 0.01
Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS) via Sql Error Page.
- CVE-2022-0819Mar 2, 2022risk 0.00cvss —epss 0.44
Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.
- CVE-2022-0746Feb 25, 2022risk 0.00cvss —epss 0.01
Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0.
- CVE-2022-0731Feb 23, 2022risk 0.00cvss —epss 0.01
Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.
- CVE-2022-0414Jan 31, 2022risk 0.00cvss —epss 0.01
Improper Validation of Specified Quantity in Input in Packagist dolibarr/dolibarr prior to 16.0.
- CVE-2022-0224Jan 14, 2022risk 0.00cvss —epss 0.02
dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
- CVE-2022-0174Jan 10, 2022risk 0.00cvss —epss 0.01
Improper Validation of Specified Quantity in Input vulnerability in dolibarr dolibarr/dolibarr.
- CVE-2021-25956Aug 17, 2021risk 0.00cvss —epss 0.01
In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of…
- CVE-2021-25957Aug 17, 2021risk 0.00cvss —epss 0.01
In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for…
- CVE-2021-25955Aug 15, 2021risk 0.00cvss —epss 0.01
In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are…
- CVE-2021-25954Aug 9, 2021risk 0.00cvss —epss 0.01
In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at…
- CVE-2020-35136Dec 23, 2020risk 0.00cvss —epss 0.06
Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php.
- CVE-2020-12669May 6, 2020risk 0.00cvss —epss 0.02
core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter.
- CVE-2013-2093Nov 20, 2019risk 0.00cvss —epss 0.05
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
- CVE-2013-2092Nov 20, 2019risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
- CVE-2013-2091Nov 20, 2019risk 0.00cvss —epss 0.03
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.
- CVE-2019-11199Jul 29, 2019risk 0.00cvss —epss 0.01
Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. These vulnerabilities allowed the execution of a JavaScript payload each time any regular user or administrative user clicked on the malicious link hosted on the same domain. The vulnerabilities could be…
- CVE-2018-16809Mar 7, 2019risk 0.00cvss —epss 0.02
An issue was discovered in Dolibarr through 7.0.0. expensereport/card.php in the expense reports module allows SQL injection via the integer parameters qty and value_unit.
- CVE-2018-16808Mar 7, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Dolibarr through 7.0.0. There is Stored XSS in expensereport/card.php in the expense reports plugin via the comments parameter, or a public or private note.
- CVE-2018-19995Jan 3, 2019risk 0.00cvss —epss 0.01
A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to user/card.php.
- CVE-2018-19998Jan 3, 2019risk 0.00cvss —epss 0.02
SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the employee parameter.
- CVE-2018-19992Jan 3, 2019risk 0.00cvss —epss 0.01
A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to adherents/type.php.
- CVE-2018-19994Jan 3, 2019risk 0.00cvss —epss 0.02
An error-based SQL injection vulnerability in product/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the desiredstock parameter.
- CVE-2018-19993Jan 3, 2019risk 0.00cvss —epss 0.01
A reflected cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote attackers to inject arbitrary web script or HTML via the transphrase parameter to public/notice.php.
- CVE-2015-3935Jun 10, 2015risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5 and 3.6 allow remote attackers to inject arbitrary web script or HTML via the Business Search (search_nom) field to (1) htdocs/societe/societe.php or (2) htdocs/societe/admin/societe.php.
- CVE-2014-7137Nov 21, 2014risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to…
- CVE-2012-1226Feb 21, 2012risk 0.00cvss —epss 0.25
Multiple directory traversal vulnerabilities in Dolibarr CMS 3.2.0 Alpha allow remote attackers to read arbitrary files and possibly execute arbitrary code via a .. (dot dot) in the (1) file parameter to document.php or (2) backtopage parameter in a create action to…
- CVE-2011-4814Dec 14, 2011risk 0.00cvss —epss 0.06
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) admin/boxes.php, (3) comm/clients.php, (4) commande/index.php; and the optioncss…
- CVE-2011-4802Dec 14, 2011risk 0.00cvss —epss 0.06
Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) sortfield, (2) sortorder, and (3) sall parameters to user/index.php and (b) user/group/index.php; the id parameter to…
- CVE-2011-4329Nov 28, 2011risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the username parameter in a setup action to admin/company.php, or the PATH_INFO to (2) admin/security_other.php, (3) admin/events.php, or…
Page 2 of 2