CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-17971
https://notcve.org/view.php?id=CVE-2017-17971
The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS. La función test_sql_and_script_inject en htdocs/main.inc.php en Dolibarr ERP/CRM 6.0.4 bloquea algunos atributos de evento, pero no bloquea onclick ni onscroll. Esto permite Cross-Site Scripting (XSS). • https://github.com/Dolibarr/dolibarr/issues/8000 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-17899
https://notcve.org/view.php?id=CVE-2017-17899
SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter. Una vulnerabilidad de inyección SQL en adherents/subscription/info.php en Dolibarr ERP/CRM versión 6.0.4 permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el parámetro rowid. • https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-17897
https://notcve.org/view.php?id=CVE-2017-17897
SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter. Vulnerabilidad de inyección SQL en comm/multiprix.php en Dolibarr ERP/CRM versión 6.0.4 permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el parámetro id. • https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-17898
https://notcve.org/view.php?id=CVE-2017-17898
Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remote attackers to obtain sensitive information. Dolibarr ERP/CRM versión 6.0.4 no bloquea peticiones directas en archivos *.tpl.php, lo que permite que atacantes remotos obtengan información sensible. • https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c https://github.com/Dolibarr/dolibarr/commit/6a62e139604dbbd5729e57df2433b37a5950c35c • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-17900
https://notcve.org/view.php?id=CVE-2017-17900
SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the socid parameter. Una vulnerabilidad de inyección SQL en fourn/index.php en Dolibarr ERP/CRM versión 6.0.4 permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el parámetro socid. • https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •