Filtered by vendor Dolibarr
Subscribe
Total
118 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-14209 | 1 Dolibarr | 1 Dolibarr | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism). | |||||
| CVE-2020-13828 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter. | |||||
| CVE-2020-14475 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3 allows remote attackers to inject arbitrary web script or HTML into public/notice.php (related to transphrase and transkey). | |||||
| CVE-2020-14201 | 1 Dolibarr | 1 Dolibarr | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| Dolibarr CRM before 11.0.5 allows privilege escalation. This could allow remote authenticated attackers to upload arbitrary files via societe/document.php in which "disabled" is changed to "enabled" in the HTML source code. | |||||
| CVE-2020-11823 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to stealing of the admin account. | |||||
| CVE-2019-19212 | 1 Dolibarr | 1 Dolibarr | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen). | |||||
| CVE-2020-14443 | 1 Dolibarr | 1 Dolibarr | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability in accountancy/customer/card.php in Dolibarr 11.0.3 allows remote authenticated users to execute arbitrary SQL commands via the id parameter. | |||||
| CVE-2019-16687 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation. | |||||
| CVE-2020-7996 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header. | |||||
| CVE-2013-2091 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php. | |||||
| CVE-2013-2092 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php. | |||||
| CVE-2019-17578 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Sender email for automatic emails (default value in php.ini: Undefined)" field. | |||||
| CVE-2019-16686 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr 9.0.5 has stored XSS in a User Note section to note.php. A user with no privileges can inject script to attack the admin. | |||||
| CVE-2020-9016 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header. | |||||
| CVE-2020-7995 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
| The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts. | |||||
| CVE-2019-17223 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is HTML Injection in the Note field in Dolibarr ERP/CRM 10.0.2 via user/note.php. | |||||
| CVE-2019-17576 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the /admin/mails.php?action=edit URI via the "Send all emails to (instead of real recipients, for test purposes)" field. | |||||
| CVE-2013-2093 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
| Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands. | |||||
| CVE-2019-19206 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to JavaScript execution in an SVG image for a profile picture. | |||||
| CVE-2019-17577 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Email used for error returns emails (fields 'Errors-To' in emails sent)" field. | |||||