CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-7888 – Dolibarr 4.0.4 SQL Injection / XSS / Weaknesses
https://notcve.org/view.php?id=CVE-2017-7888
Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier. Dolibarr ERP / CRM 4.0.4 almacena contraseñas con el algoritmo MD5, lo que facilita los ataques de fuerza bruta. Dolibarr version 4.0.4 suffers from cross site scripting, weak hashing, weak password change, and remote SQL injection vulnerabilities. • https://www.foxmole.com/advisories/foxmole-2017-02-23.txt • CWE-326: Inadequate Encryption Strength •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-8879 – Dolibarr 4.0.4 SQL Injection / XSS / Weaknesses
https://notcve.org/view.php?id=CVE-2017-8879
Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes it easier for physically proximate attackers to obtain access via an unattended workstation. Dolibarr ERP/CRM 4.0.4 permite cambios de contraseña sin proporcionar la contraseña actual, lo que facilita a los atacantes físicamente cerca obtener acceso a través de una estación de trabajo desatendida. Dolibarr version 4.0.4 suffers from cross site scripting, weak hashing, weak password change, and remote SQL injection vulnerabilities. • https://www.foxmole.com/advisories/foxmole-2017-02-23.txt • CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2014-3991 – Dolibarr ERP/CRM 3.5.3 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-3991
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu, or (7) leftmenu parameter to index.php; the (8) dol_use_jmobile, (9) dol_optimize_smallscreen, (10) dol_no_mouse_hover, (11) dol_hide_topmenu, or (12) dol_hide_leftmenu parameter to user/index.php; the (13) dol_use_jmobile, (14) dol_optimize_smallscreen, (15) dol_no_mouse_hover, (16) dol_hide_topmenu, or (17) dol_hide_leftmenu parameter to user/logout.php; the (18) email, (19) firstname, (20) job, (21) lastname, or (22) login parameter in an update action in a "User Card" to user/fiche.php; or the (23) modulepart or (24) file parameter to viewimage.php. Múltiples vulnerabilidades de XSS en Dolibarr ERP/CRM 3.5.3 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu o (7) leftmenu en index.php; parámetro (8) dol_use_jmobile, (9) dol_optimize_smallscreen, (10) dol_no_mouse_hover, (11) dol_hide_topmenu o (12) dol_hide_leftmenu en user/index.php; parámetro (13) dol_use_jmobile, (14) dol_optimize_smallscreen, (15) dol_no_mouse_hover, (16) dol_hide_topmenu o (17) dol_hide_leftmenu en user/logout.php; parámetro (18) email, (19) firstname, (20) job, (21) lastname o (22) login en una acción de actualización en una 'Trajeta de Usuario' en user/fiche.php; o parámetro (23) modulepart o (24) file en viewimage.php. • https://www.exploit-db.com/exploits/34007 http://packetstormsecurity.com/files/127389/Dolibarr-CMS-3.5.3-SQL-Injection-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2014-3992 – Dolibarr ERP/CRM 3.5.3 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-3992
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote authenticated users to execute arbitrary SQL commands via the (1) entity parameter in an update action to user/fiche.php or (2) sortorder parameter to user/group/index.php. Múltiples vulnerabilidades de inyección SQL en Dolibarr ERP/CRM 3.5.3 permiten a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del (1) parámetro entity en una acción de actualización en user/fiche.php o (2) parámetro sortorder en user/group/index.php. Dolibarr CMS version 3.5.3 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/34007 http://packetstormsecurity.com/files/127389/Dolibarr-CMS-3.5.3-SQL-Injection-Cross-Site-Scripting.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 3CVE-2012-1225 – Dolibarr ERP/CRM 3.x - '/adherents/fiche.php' SQL Injection
https://notcve.org/view.php?id=CVE-2012-1225
Multiple SQL injection vulnerabilities in Dolibarr CMS 3.2.0 Alpha and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) memberslist parameter (aka Member List) in list.php or (2) rowid parameter to adherents/fiche.php. Múltiples vulnerabilidades de inyección SQL en Dolibarr CMS v3.2.0 Alpha y anteriores permite a usuarios autenticados de forma remota ejecutar comandos SQL a través de (1) el parámetro memberslist (también conocido como Member List) en list.php o (2) el parámetro rowid en adherents/fiche.php. • https://www.exploit-db.com/exploits/36683 http://archives.neohapsis.com/archives/bugtraq/2012-02/0056.html http://osvdb.org/79011 http://secunia.com/advisories/47969 http://www.securityfocus.com/bid/51956 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •