CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4198 – Dolibarr ERP CRM (<= 17.0.3) Improper Access Control
https://notcve.org/view.php?id=CVE-2023-4198
01 Nov 2023 — Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data El control de acceso inadecuado en Dolibarr ERP CRM versiones <= 17.0.3 permite a un usuario autenticado no autorizado leer una tabla de base de datos que contiene datos del cliente • https://github.com/Dolibarr/dolibarr/commit/3065b9ca6ade988e8d7a8a8550415c0abb56b9cb#diff-7d68365a708c954051853ade884c7e97c6ff13150ee92657d6ffc8603e0f947b • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4197 – Dolibarr ERP CRM (<= 18.0.1) Improper Input Sanitization Authenticated RCE
https://notcve.org/view.php?id=CVE-2023-4197
01 Nov 2023 — Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code. La validación de entrada incorrecta en Dolibarr ERP CRM versiones <= 18.0.1 no elimina cierto código PHP de la entrada proporcionada por el usuario al crear un sitio web, lo que permite a un atacante inyectar y evaluar código PHP arbitrario. • https://github.com/alien-keric/CVE-2023-4197 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5842 – Cross-site Scripting (XSS) - Stored in dolibarr/dolibarr
https://notcve.org/view.php?id=CVE-2023-5842
30 Oct 2023 — Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5. Cross-Site Scripting (XSS) Almacenado en el repositorio de GitHub dolibarr/dolibarr anterior a 16.0.5. • https://github.com/dolibarr/dolibarr/commit/f569048eb2bd823525bce4ef52316e7a83e3345c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5323 – Cross-site Scripting (XSS) - Generic in dolibarr/dolibarr
https://notcve.org/view.php?id=CVE-2023-5323
01 Oct 2023 — Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0. Cross-Site Scripting (XSS) Genérico en el repositorio de GitHub dolibarr/dolibarr anterior a la versión 18.0. • https://github.com/dolibarr/dolibarr/commit/695ca086847b3b6a185afa93e897972c93c43d15 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-38886
https://notcve.org/view.php?id=CVE-2023-38886
20 Sep 2023 — An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script. Un problema en Dolibarr ERP CRM v.17.0.1 y anteriores permite a un atacante remoto con privilegios ejecutar código arbitrario a través de un comando/script maniulado. • http://dolibarr.com • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-38887
https://notcve.org/view.php?id=CVE-2023-38887
20 Sep 2023 — File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions. Vulnerabilidad de carga de archivos en Dolibarr ERP CRM v.17.0.1 y anteriores permite a un atacante remoto ejecutar código arbitrario y obtener información sensible a través de las funciones de filtrado y cambio de nombre de la extensión. • http://dolibarr.com • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-38888
https://notcve.org/view.php?id=CVE-2023-38888
20 Sep 2023 — Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject. Vulnerabilidad de Cross Site Scripting en Dolibarr ERP CRM v.17.0.1 y anteriores permite a un atacante remoto obtener información sensible y ejecutar código arbitrario a través del módulo REST API, relacionado con analyseVarsForSqlAndScriptsInjection y... • http://dolibarr.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 3%CPEs: 1EXPL: 8CVE-2023-30253
https://notcve.org/view.php?id=CVE-2023-30253
29 May 2023 — Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data. En la versiones anteriores a Dolibarr v17.0.1 se permite la ejecución remota de código por un usuario autenticado a través de una manipulación de mayúsculas, por ejemplo: " • https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 1CVE-2022-43138
https://notcve.org/view.php?id=CVE-2022-43138
17 Nov 2022 — Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API. Dolibarr ERP y software de código abierto CRM for Business anterior a v14.0.1 permite a los atacantes escalar privilegios a través de una API manipulada. • https://www.exploit-db.com/exploits/50248 •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-40871
https://notcve.org/view.php?id=CVE-2022-40871
12 Oct 2022 — Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval. Dolibarr ERP & CRM versiones anteriores a 15.0.3 incluyéndola, es vulnerable a una inyección de Eval. Por defecto, cualquier administrador puede ser añadido a la página de instalación de dolibarr, y si es añadido con éxito, puede insertarse código malicioso en ... • https://github.com/youncyb/dolibarr-rce • CWE-94: Improper Control of Generation of Code ('Code Injection') •