RSS   Vulnerabilities for 'Dolibarr erp/crm'   RSS

2019-07-29
 
CVE-2019-11201

CWE-94
 
 
Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content. Thus, a lower privileged user of the application can execute code under the context and permissions of the underlying web server.

 
 
CVE-2019-11200

CWE-20
 
 
Dolibarr ERP/CRM 9.0.1 provides a web-based functionality that backs up the database content to a dump file. However, the application performs insufficient checks on the export parameters to mysqldump, which can lead to execution of arbitrary binaries on the server. (Malicious binaries can be uploaded by abusing other functionalities of the application.)

 
 
CVE-2019-11199

CWE-79
 
 
Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. These vulnerabilities allowed the execution of a JavaScript payload each time any regular user or administrative user clicked on the malicious link hosted on the same domain. The vulnerabilities could be exploited by low privileged users to target administrators. The viewimage.php page did not perform any contextual output encoding and would display the content within the uploaded file with a user-requested MIME type.

 
2018-07-08
 
CVE-2018-13450

CWE-89
 
 
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the status_batch parameter.

 
 
CVE-2018-13449

CWE-89
 
 
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut_buy parameter.

 
 
CVE-2018-13448

CWE-89
 
 
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the country_id parameter.

 
2018-04-10
 
CVE-2017-18260

CWE-89
 
 
Dolibarr ERP/CRM is affected by multiple SQL injection vulnerabilities in versions through 7.0.0 via comm/propal/list.php (viewstatut parameter) or comm/propal/list.php (propal_statut parameter, aka search_statut parameter).

 
 
CVE-2017-18259

CWE-79
 
 
Dolibarr ERP/CRM is affected by stored Cross-Site Scripting (XSS) in versions through 7.0.0.

 
2014-11-21
 
CVE-2014-7137

CWE-89
 
 
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4) lineid parameter in a deletecontact action, (5) ligne parameter in a swapstatut action, or (6) ref parameter to projet/contact.php; (7) id parameter to compta/bank/fiche.php, (8) contact/info.php, (9) holiday/index.php, (10) product/stock/fiche.php, (11) product/stock/info.php, or (12) in an edit action to product/stock/fiche.php; (13) productid parameter in an addline action to product/stock/massstockmove.php; (14) project_ref parameter to projet/tasks/note.php; (15) ref parameter to element.php, (16) ganttview.php, (17) note.php, or (18) tasks.php in projet/; (19) sall or (20) sref parameter to comm/mailing/liste.php; (21) search_bon, (22) search_ligne, (23) search_societe, or (24) search_code parameter to compta/prelevement/liste.php; (25) search_label parameter to compta/sociales/index.php; (26) search_project parameter to projet/tasks/index.php; (27) search_societe parameter to compta/prelevement/demandes.php; (28) search_statut parameter to user/index.php; (29) socid parameter to compta/recap-compta.php, (30) societe/commerciaux.php, or (31) societe/rib.php; (32) sortorder, (33) sref, (34) sall, or (35) sortfield parameter to product/stock/liste.php; (36) statut parameter to adherents/liste.php or (37) compta/dons/liste.php; (38) tobuy or (39) tosell parameter to product/liste.php; (40) tobuy, (41) tosell, (42) search_categ, or (43) sref parameter to product/reassort.php; (44) type parameter to product/index.php; or the (a) sortorder or (b) sortfield parameter to (45) compta/paiement/cheque/liste.php, (46) compta/prelevement/bons.php, (47) compta/prelevement/rejets.php, (48) product/stats/commande.php, (49) product/stats/commande_fournisseur.php, (50) product/stats/contrat.php, (51) product/stats/facture.php, (52) product/stats/facture_fournisseur.php, (53) product/stats/propal.php, or (54) product/stock/replenishorders.php.

 

 >>> Vendor: Dolibarr 2 Products
Dolibarr
Dolibarr erp/crm

Copyright 2024, cxsecurity.com

 

Back to Top