CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2014-3991 – Dolibarr ERP/CRM 3.5.3 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-3991
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu, or (7) leftmenu parameter to index.php; the (8) dol_use_jmobile, (9) dol_optimize_smallscreen, (10) dol_no_mouse_hover, (11) dol_hide_topmenu, or (12) dol_hide_leftmenu parameter to user/index.php; the (13) dol_use_jmobile, (14) dol_optimize_smallscreen, (15) dol_no_mouse_hover, (16) dol_hide_topmenu, or (17) dol_hide_leftmenu parameter to user/logout.php; the (18) email, (19) firstname, (20) job, (21) lastname, or (22) login parameter in an update action in a "User Card" to user/fiche.php; or the (23) modulepart or (24) file parameter to viewimage.php. Múltiples vulnerabilidades de XSS en Dolibarr ERP/CRM 3.5.3 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu o (7) leftmenu en index.php; parámetro (8) dol_use_jmobile, (9) dol_optimize_smallscreen, (10) dol_no_mouse_hover, (11) dol_hide_topmenu o (12) dol_hide_leftmenu en user/index.php; parámetro (13) dol_use_jmobile, (14) dol_optimize_smallscreen, (15) dol_no_mouse_hover, (16) dol_hide_topmenu o (17) dol_hide_leftmenu en user/logout.php; parámetro (18) email, (19) firstname, (20) job, (21) lastname o (22) login en una acción de actualización en una 'Trajeta de Usuario' en user/fiche.php; o parámetro (23) modulepart o (24) file en viewimage.php. • https://www.exploit-db.com/exploits/34007 http://packetstormsecurity.com/files/127389/Dolibarr-CMS-3.5.3-SQL-Injection-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2014-3992 – Dolibarr ERP/CRM 3.5.3 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-3992
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote authenticated users to execute arbitrary SQL commands via the (1) entity parameter in an update action to user/fiche.php or (2) sortorder parameter to user/group/index.php. Múltiples vulnerabilidades de inyección SQL en Dolibarr ERP/CRM 3.5.3 permiten a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del (1) parámetro entity en una acción de actualización en user/fiche.php o (2) parámetro sortorder en user/group/index.php. Dolibarr CMS version 3.5.3 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/34007 http://packetstormsecurity.com/files/127389/Dolibarr-CMS-3.5.3-SQL-Injection-Cross-Site-Scripting.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 3CVE-2012-1225 – Dolibarr ERP/CRM 3.x - '/adherents/fiche.php' SQL Injection
https://notcve.org/view.php?id=CVE-2012-1225
Multiple SQL injection vulnerabilities in Dolibarr CMS 3.2.0 Alpha and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) memberslist parameter (aka Member List) in list.php or (2) rowid parameter to adherents/fiche.php. Múltiples vulnerabilidades de inyección SQL en Dolibarr CMS v3.2.0 Alpha y anteriores permite a usuarios autenticados de forma remota ejecutar comandos SQL a través de (1) el parámetro memberslist (también conocido como Member List) en list.php o (2) el parámetro rowid en adherents/fiche.php. • https://www.exploit-db.com/exploits/36683 http://archives.neohapsis.com/archives/bugtraq/2012-02/0056.html http://osvdb.org/79011 http://secunia.com/advisories/47969 http://www.securityfocus.com/bid/51956 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 11%CPEs: 1EXPL: 5CVE-2012-1226 – Dolibarr ERP/CRM 3.2 Alpha - Multiple Directory Traversal Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-1226
Multiple directory traversal vulnerabilities in Dolibarr CMS 3.2.0 Alpha allow remote attackers to read arbitrary files and possibly execute arbitrary code via a .. (dot dot) in the (1) file parameter to document.php or (2) backtopage parameter in a create action to comm/action/fiche.php. Múltiples vulnerabilidades de salto de directorio en Dolibarr CMS v3.2.0 Alpha permite a atacantes remotos leer ficheros arbitrarios y posiblemente ejecutar código arbitrario a través de un .. (punto punto) en el parámetro de archivo (1) a document.php o (2) el parámetro backtopage en una acción de creación de comm / acción / fiche.php. • https://www.exploit-db.com/exploits/36873 https://www.exploit-db.com/exploits/18480 http://archives.neohapsis.com/archives/bugtraq/2012-02/0168.html http://www.exploit-db.com/exploits/18480 http://www.securityfocus.com/archive/1/521583 http://www.vulnerability-lab.com/get_content.php?id=428 https://exchange.xforce.ibmcloud.com/vulnerabilities/73136 https://github.com/Dolibarr/dolibarr/commit/5381986e50dd6055f2b3b63281eaacffa0449da2 https://github.com/Dolibarr/dolibarr/commit/8f9b9987ffb42cfbe907fe31ded3001bfc • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 7CVE-2011-4814 – Dolibarr ERP/CRM 3.1 - Multiple Script URI Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2011-4814
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) admin/boxes.php, (3) comm/clients.php, (4) commande/index.php; and the optioncss parameter to (5) admin/ihm.php and (6) user/home.php. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Dolibarr v3.1.0 RC y probablemente anteriores, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de PATH_INFO de (1) index.php, (2) admin/boxes.php, (3) comm/clients.php, (4) commande/index.php; and the optioncss parameter to (5) admin/ihm.php y (6) user/home.php. • https://www.exploit-db.com/exploits/36330 http://www.osvdb.org/77339 http://www.securityfocus.com/archive/1/520619/100/0/threaded http://www.securityfocus.com/bid/50777 https://github.com/Dolibarr/dolibarr/commit/63820ab37537fdff842539425b2bf2881f0d8e91 https://github.com/Dolibarr/dolibarr/commit/762f98ab4137749d0993612b4e3544a4207e78a1 https://github.com/Dolibarr/dolibarr/commit/c539155d6ac2f5b6ea75b87a16f298c0090e535a https://github.com/Dolibarr/dolibarr/commit/d08d28c0cda1f762a47cc205d4363de03df16675 https://www.htbridge.ch/advisory& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •