CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-17899
https://notcve.org/view.php?id=CVE-2017-17899
24 Dec 2017 — SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter. Una vulnerabilidad de inyección SQL en adherents/subscription/info.php en Dolibarr ERP/CRM versión 6.0.4 permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el parámetro rowid. • https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-17898
https://notcve.org/view.php?id=CVE-2017-17898
24 Dec 2017 — Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remote attackers to obtain sensitive information. Dolibarr ERP/CRM versión 6.0.4 no bloquea peticiones directas en archivos *.tpl.php, lo que permite que atacantes remotos obtengan información sensible. • https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14242
https://notcve.org/view.php?id=CVE-2017-14242
11 Sep 2017 — SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the statut parameter. Una vulnerabilidad de inyección SQL en don/list.php en Dolibarr 6.0.0 permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el parámetro statut. • https://github.com/Dolibarr/dolibarr/commit/33e2179b65331d9d9179b59d746817c5be1fecdb • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14238
https://notcve.org/view.php?id=CVE-2017-14238
11 Sep 2017 — SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the menuId parameter. Una vulnerabilidad de inyección SQL en admin/menus/edit.php en Dolibarr ERP/CRM 6.0.0 permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el parámetro menuid. • https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14239
https://notcve.org/view.php?id=CVE-2017-14239
11 Sep 2017 — Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 6.0.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) CompanyName, (2) CompanyAddress, (3) CompanyZip, (4) CompanyTown, (5) Fax, (6) EMail, (7) Web, (8) ManagingDirectors, (9) Note, (10) Capital, (11) ProfId1, (12) ProfId2, (13) ProfId3, (14) ProfId4, (15) ProfId5, or (16) ProfId6 parameter to htdocs/admin/company.php. Existen múltiples vulnerabilidades de tipo Cross-Site Scripting (XSS) en Dolibarr E... • https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14241
https://notcve.org/view.php?id=CVE-2017-14241
11 Sep 2017 — Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0 allows remote authenticated users to inject arbitrary web script or HTML via the Title parameter to htdocs/admin/menus/edit.php. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en Dolibarr ERP/CRM 6.0.0 permite que usuarios autenticados remotos inyecten scripts web o HTML arbitrarios mediante el parámetro Title en htdocs/admin/menus/edit.php. • https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14240
https://notcve.org/view.php?id=CVE-2017-14240
11 Sep 2017 — There is a sensitive information disclosure vulnerability in document.php in Dolibarr ERP/CRM version 6.0.0 via the file parameter. Existe una vulnerabilidad de revelación de información sensible en document.php en Dolibarr ERP/CRM 6.0.0 mediante el parámetro file. • https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9840
https://notcve.org/view.php?id=CVE-2017-9840
25 Jun 2017 — Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application. Dolibarr ERP/CRM 5.0.3 y anteriores permite a usuarios con pocos privilegios subir archivos de tipos peligrosos, lo que puede resultar en la ejecución de código arbitrario dentro del contexto de la aplicación vulnerable. • https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-009 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9435
https://notcve.org/view.php?id=CVE-2017-9435
05 Jun 2017 — Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters). El ERP/CRM Dolibarr anterior a versión 5.0.3, es vulnerable a una inyección SQL en el archivo user/index.php (parámetros search_supervisor y search_statut). • https://github.com/Dolibarr/dolibarr/blob/develop/ChangeLog • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2017-7886 – Dolibarr 4.0.4 SQL Injection / XSS / Weaknesses
https://notcve.org/view.php?id=CVE-2017-7886
10 May 2017 — Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css.php via the lang parameter. Dolibarr ERP / CRM 4.0.4 tiene un SQL Injection en doli / theme / eldy / style.css.php a través del parámetro lang. Dolibarr version 4.0.4 suffers from cross site scripting, weak hashing, weak password change, and remote SQL injection vulnerabilities. • https://packetstorm.news/files/id/142461 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •