Vulnerabilities (CVE)

  1. OpenCVE
  2. Vulnerabilities (CVE)
Filtered by vendor Dolibarr Subscribe
Filtered by product Dolibarr Erp\/crm
Total 93 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-22293 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 3.5 LOW 5.4 MEDIUM
admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter.
CVE-2019-1010054 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 6.8 MEDIUM 8.8 HIGH
Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access malitious urls.
CVE-2012-1226 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 7.5 HIGH N/A
Multiple directory traversal vulnerabilities in Dolibarr CMS 3.2.0 Alpha allow remote attackers to read arbitrary files and possibly execute arbitrary code via a .. (dot dot) in the (1) file parameter to document.php or (2) backtopage parameter in a create action to comm/action/fiche.php.
CVE-2019-17577 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 3.5 LOW 5.4 MEDIUM
An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Email used for error returns emails (fields 'Errors-To' in emails sent)" field.
CVE-2013-2091 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 7.5 HIGH 9.8 CRITICAL
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.
CVE-2018-19993 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 4.3 MEDIUM 6.1 MEDIUM
A reflected cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote attackers to inject arbitrary web script or HTML via the transphrase parameter to public/notice.php.
CVE-2017-7886 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 7.5 HIGH 9.8 CRITICAL
Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css.php via the lang parameter.
CVE-2013-2093 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 10.0 HIGH 9.8 CRITICAL
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
CVE-2017-7888 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 5.0 MEDIUM 9.8 CRITICAL
Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier.
CVE-2020-9016 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 3.5 LOW 5.4 MEDIUM
Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.
CVE-2013-2092 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 4.3 MEDIUM 6.1 MEDIUM
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
CVE-2021-25956 1 Dolibarr 2 Dolibarr, Dolibarr Erp\/crm 2022-11-17 6.5 MEDIUM 7.2 HIGH
In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.
CVE-2017-7887 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 4.3 MEDIUM 6.1 MEDIUM
Dolibarr ERP/CRM 4.0.4 has XSS in doli/societe/list.php via the sall parameter.
CVE-2020-11823 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 3.5 LOW 5.4 MEDIUM
In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to stealing of the admin account.
CVE-2018-19992 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 3.5 LOW 5.4 MEDIUM
A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to adherents/type.php.
CVE-2017-17898 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 5.0 MEDIUM 7.5 HIGH
Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remote attackers to obtain sensitive information.
CVE-2018-19998 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 6.5 MEDIUM 8.8 HIGH
SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the employee parameter.
CVE-2014-3991 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu, or (7) leftmenu parameter to index.php; the (8) dol_use_jmobile, (9) dol_optimize_smallscreen, (10) dol_no_mouse_hover, (11) dol_hide_topmenu, or (12) dol_hide_leftmenu parameter to user/index.php; the (13) dol_use_jmobile, (14) dol_optimize_smallscreen, (15) dol_no_mouse_hover, (16) dol_hide_topmenu, or (17) dol_hide_leftmenu parameter to user/logout.php; the (18) email, (19) firstname, (20) job, (21) lastname, or (22) login parameter in an update action in a "User Card" to user/fiche.php; or the (23) modulepart or (24) file parameter to viewimage.php.
CVE-2020-35136 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 9.0 HIGH 7.2 HIGH
Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php.
CVE-2021-33618 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 4.3 MEDIUM 6.1 MEDIUM
Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of a BODY element to the user-management feature.