Page 2 of 86 results (0.006 seconds)

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1

An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script. Un problema en Dolibarr ERP CRM v.17.0.1 y anteriores permite a un atacante remoto con privilegios ejecutar código arbitrario a través de un comando/script maniulado. • http://dolibarr.com https://akerva.com/wp-content/uploads/2023/09/AKERVA_Security-Advisory_CVE-2023-38886_Dolibarr_RCE-1.pdf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 1

Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject. Vulnerabilidad de Cross Site Scripting en Dolibarr ERP CRM v.17.0.1 y anteriores permite a un atacante remoto obtener información sensible y ejecutar código arbitrario a través del módulo REST API, relacionado con analyseVarsForSqlAndScriptsInjection y testSqlAndScriptInject. • http://dolibarr.com https://akerva.com/wp-content/uploads/2023/09/AKERVA_Security-Advisory_CVE-2023-38888_Dolibarr_XSS.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 48%CPEs: 1EXPL: 1

An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists. • https://github.com/Dolibarr/dolibarr/commit/bb7b69ef43673ed403436eac05e0bc31d5033ff7 https://github.com/Dolibarr/dolibarr/commit/be82f51f68d738cce205f4ce5b469ef42ed82d9e https://www.dolibarr.org/forum/t/dolibarr-16-0-security-breach/23471 https://www.dolibarr.org/forum/t/dolibarr-16-0-security-breach/23471/1 https://www.dsecbypass.com/en/dolibarr-pre-auth-contact-database-dump • CWE-552: Files or Directories Accessible to External Parties •

CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 5

Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data. En la versiones anteriores a Dolibarr v17.0.1 se permite la ejecución remota de código por un usuario autenticado a través de una manipulación de mayúsculas, por ejemplo: " • https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253 https://github.com/04Shivam/CVE-2023-30253-Exploit https://github.com/dollarboysushil/Dolibarr-17.0.0-Exploit-CVE-2023-30253 https://github.com/g4nkd/CVE-2023-30253-PoC https://github.com/Dolibarr/dolibarr https://www.swascan.com/blog https://www.swascan.com/security-advisory-dolibarr-17-0-0 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1

SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period. This affect 16.0.1 and 16.0.2 only. 16.0.0 or lower, and 16.0.3 or higher are not affected Los ataques de inyección SQL pueden dar lugar a un acceso no autorizado a datos sensibles, como contraseñas, datos de tarjetas de crédito o información personal del usuario. Muchas violaciones de datos de alto perfil en los últimos años han sido el resultado de ataques de inyección SQL, lo que ha provocado daños a la reputación y multas de organismos reguladores. • https://github.com/dolibarr/dolibarr/commit/7c1eac9774bd1fed0b7b4594159f2ac2d12a4011 https://huntr.dev/bounties/677ca8ee-ffbc-4b39-b294-2ce81bd56788 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •