CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-11199
https://notcve.org/view.php?id=CVE-2019-11199
Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. These vulnerabilities allowed the execution of a JavaScript payload each time any regular user or administrative user clicked on the malicious link hosted on the same domain. The vulnerabilities could be exploited by low privileged users to target administrators. The viewimage.php page did not perform any contextual output encoding and would display the content within the uploaded file with a user-requested MIME type. ERP/CRM de Dolibarr versión 9.0.1, está afectado por XSS almacenado dentro de los archivos cargados. • https://know.bishopfox.com/advisories/dolibarr-version-9-0-1-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-1010054
https://notcve.org/view.php?id=CVE-2019-1010054
Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access malitious urls. Dolibarr 7.0.0 se ve afectado por: Cross Site Request Forgery (CSRF). • https://github.com/lucasgcilento/CVE/blob/master/Dolibarr_CSRF • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-1010016
https://notcve.org/view.php?id=CVE-2019-1010016
Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing. The component is: htdocs/product/stats/card.php. The attack vector is: Victim must click a specially crafted link sent by the attacker. Dolibarr versión 6.0.4, está afectado por: Cross Site Scripting (XSS). • https://github.com/Dolibarr/dolibarr/issues/7962 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16809
https://notcve.org/view.php?id=CVE-2018-16809
An issue was discovered in Dolibarr through 7.0.0. expensereport/card.php in the expense reports module allows SQL injection via the integer parameters qty and value_unit. Se ha descubierto un problema en Dolibarr hasta su versión 7.0.0. expensereport/card.php en el módulo "expense reports" permite una inyección SQL mediante los parámetros integer, qty y value_unit. • https://github.com/Dolibarr/dolibarr/issues/9449 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16808
https://notcve.org/view.php?id=CVE-2018-16808
An issue was discovered in Dolibarr through 7.0.0. There is Stored XSS in expensereport/card.php in the expense reports plugin via the comments parameter, or a public or private note. Se ha descubierto un problema en Dolibarr hasta su versión 7.0.0. Hay Cross-Site Scripting (XSS) persistente en expensereport/card.php en el plugin "expense reports" mediante el parámetro "comments" o una nota, ya sea pública o privada. • https://github.com/Dolibarr/dolibarr/issues/9449 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •