CVSS: 7.5EPSS: 11%CPEs: 1EXPL: 5CVE-2012-1226 – Dolibarr ERP/CRM 3.2 Alpha - Multiple Directory Traversal Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-1226
Multiple directory traversal vulnerabilities in Dolibarr CMS 3.2.0 Alpha allow remote attackers to read arbitrary files and possibly execute arbitrary code via a .. (dot dot) in the (1) file parameter to document.php or (2) backtopage parameter in a create action to comm/action/fiche.php. Múltiples vulnerabilidades de salto de directorio en Dolibarr CMS v3.2.0 Alpha permite a atacantes remotos leer ficheros arbitrarios y posiblemente ejecutar código arbitrario a través de un .. (punto punto) en el parámetro de archivo (1) a document.php o (2) el parámetro backtopage en una acción de creación de comm / acción / fiche.php. • https://www.exploit-db.com/exploits/36873 https://www.exploit-db.com/exploits/18480 http://archives.neohapsis.com/archives/bugtraq/2012-02/0168.html http://www.exploit-db.com/exploits/18480 http://www.securityfocus.com/archive/1/521583 http://www.vulnerability-lab.com/get_content.php?id=428 https://exchange.xforce.ibmcloud.com/vulnerabilities/73136 https://github.com/Dolibarr/dolibarr/commit/5381986e50dd6055f2b3b63281eaacffa0449da2 https://github.com/Dolibarr/dolibarr/commit/8f9b9987ffb42cfbe907fe31ded3001bfc • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 7CVE-2011-4814 – Dolibarr ERP/CRM 3.1 - Multiple Script URI Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2011-4814
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) admin/boxes.php, (3) comm/clients.php, (4) commande/index.php; and the optioncss parameter to (5) admin/ihm.php and (6) user/home.php. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Dolibarr v3.1.0 RC y probablemente anteriores, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de PATH_INFO de (1) index.php, (2) admin/boxes.php, (3) comm/clients.php, (4) commande/index.php; and the optioncss parameter to (5) admin/ihm.php y (6) user/home.php. • https://www.exploit-db.com/exploits/36330 http://www.osvdb.org/77339 http://www.securityfocus.com/archive/1/520619/100/0/threaded http://www.securityfocus.com/bid/50777 https://github.com/Dolibarr/dolibarr/commit/63820ab37537fdff842539425b2bf2881f0d8e91 https://github.com/Dolibarr/dolibarr/commit/762f98ab4137749d0993612b4e3544a4207e78a1 https://github.com/Dolibarr/dolibarr/commit/c539155d6ac2f5b6ea75b87a16f298c0090e535a https://github.com/Dolibarr/dolibarr/commit/d08d28c0cda1f762a47cc205d4363de03df16675 https://www.htbridge.ch/advisory& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 11EXPL: 11CVE-2011-4802 – Dolibarr ERP/CRM 3.1.0 - '/admin/boxes.php?rowid' SQL Injection
https://notcve.org/view.php?id=CVE-2011-4802
Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) sortfield, (2) sortorder, and (3) sall parameters to user/index.php and (b) user/group/index.php; the id parameter to (4) info.php, (5) perms.php, (6) param_ihm.php, (7) note.php, and (8) fiche.php in user/; and (9) rowid parameter to admin/boxes.php. Múltiples vulnerabilidades de inyección SQL en Dolibarr v3.1.0 RC y probablemente anteriores, permite a usuarios autenticados remotamente ejecutar comandos SQL de su elección a través del parámetro (1) sortfield, (2) sortorder, y (3) sall de user/index.php y (b) user/group/index.php; el parámetro id de (4) info.php, (5) perms.php, (6) param_ihm.php, (7) note.php, y (8) fiche.php en user/; y (9) el parámetro rowid de admin/boxes.php. • https://www.exploit-db.com/exploits/36333 https://www.exploit-db.com/exploits/36331 https://www.exploit-db.com/exploits/36332 http://osvdb.org/77340 http://osvdb.org/77341 http://osvdb.org/77342 http://osvdb.org/77343 http://osvdb.org/77344 http://osvdb.org/77345 http://osvdb.org/77346 http://osvdb.org/77347 http://www.securityfocus.com/archive/1/520619/100/0/threaded http://www.securityfocus.com/bid/50777 https://github.com/Dolibarr/doliba • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2011-4329
https://notcve.org/view.php?id=CVE-2011-4329
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the username parameter in a setup action to admin/company.php, or the PATH_INFO to (2) admin/security_other.php, (3) admin/events.php, or (4) admin/user.php. Varias vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en Dolibarr v3.1.0 permiten a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) el parámetro username en una acción de configuración en admin/company.php o el PATH_INFO en (2) admin/security_other.php, en (3) admin/events.php, o (4) admin/user.php. • http://archives.neohapsis.com/archives/bugtraq/2011-11/0052.html http://archives.neohapsis.com/archives/bugtraq/2011-11/0138.html http://www.securityfocus.com/bid/50617 https://doliforge.org/tracker/?func=detail&aid=232&group_id=144 https://github.com/Dolibarr/dolibarr/commit/762f98ab4137749d0993612b4e3544a4207e78a1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •