CVE-2011-4802 – Dolibarr ERP/CRM 3.1.0 - '/admin/boxes.php?rowid' SQL Injection
https://notcve.org/view.php?id=CVE-2011-4802
Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) sortfield, (2) sortorder, and (3) sall parameters to user/index.php and (b) user/group/index.php; the id parameter to (4) info.php, (5) perms.php, (6) param_ihm.php, (7) note.php, and (8) fiche.php in user/; and (9) rowid parameter to admin/boxes.php. Múltiples vulnerabilidades de inyección SQL en Dolibarr v3.1.0 RC y probablemente anteriores, permite a usuarios autenticados remotamente ejecutar comandos SQL de su elección a través del parámetro (1) sortfield, (2) sortorder, y (3) sall de user/index.php y (b) user/group/index.php; el parámetro id de (4) info.php, (5) perms.php, (6) param_ihm.php, (7) note.php, y (8) fiche.php en user/; y (9) el parámetro rowid de admin/boxes.php. • https://www.exploit-db.com/exploits/36333 https://www.exploit-db.com/exploits/36331 https://www.exploit-db.com/exploits/36332 http://osvdb.org/77340 http://osvdb.org/77341 http://osvdb.org/77342 http://osvdb.org/77343 http://osvdb.org/77344 http://osvdb.org/77345 http://osvdb.org/77346 http://osvdb.org/77347 http://www.securityfocus.com/archive/1/520619/100/0/threaded http://www.securityfocus.com/bid/50777 https://github.com/Dolibarr/doliba • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2011-4329
https://notcve.org/view.php?id=CVE-2011-4329
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the username parameter in a setup action to admin/company.php, or the PATH_INFO to (2) admin/security_other.php, (3) admin/events.php, or (4) admin/user.php. Varias vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en Dolibarr v3.1.0 permiten a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) el parámetro username en una acción de configuración en admin/company.php o el PATH_INFO en (2) admin/security_other.php, en (3) admin/events.php, o (4) admin/user.php. • http://archives.neohapsis.com/archives/bugtraq/2011-11/0052.html http://archives.neohapsis.com/archives/bugtraq/2011-11/0138.html http://www.securityfocus.com/bid/50617 https://doliforge.org/tracker/?func=detail&aid=232&group_id=144 https://github.com/Dolibarr/dolibarr/commit/762f98ab4137749d0993612b4e3544a4207e78a1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •