CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-38886
https://notcve.org/view.php?id=CVE-2023-38886
An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script. Un problema en Dolibarr ERP CRM v.17.0.1 y anteriores permite a un atacante remoto con privilegios ejecutar código arbitrario a través de un comando/script maniulado. • http://dolibarr.com https://akerva.com/wp-content/uploads/2023/09/AKERVA_Security-Advisory_CVE-2023-38886_Dolibarr_RCE-1.pdf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 1CVE-2023-38888
https://notcve.org/view.php?id=CVE-2023-38888
Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject. Vulnerabilidad de Cross Site Scripting en Dolibarr ERP CRM v.17.0.1 y anteriores permite a un atacante remoto obtener información sensible y ejecutar código arbitrario a través del módulo REST API, relacionado con analyseVarsForSqlAndScriptsInjection y testSqlAndScriptInject. • http://dolibarr.com https://akerva.com/wp-content/uploads/2023/09/AKERVA_Security-Advisory_CVE-2023-38888_Dolibarr_XSS.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 5CVE-2023-30253
https://notcve.org/view.php?id=CVE-2023-30253
Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data. En la versiones anteriores a Dolibarr v17.0.1 se permite la ejecución remota de código por un usuario autenticado a través de una manipulación de mayúsculas, por ejemplo: " • https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253 https://github.com/04Shivam/CVE-2023-30253-Exploit https://github.com/dollarboysushil/Dolibarr-17.0.0-Exploit-CVE-2023-30253 https://github.com/g4nkd/CVE-2023-30253-PoC https://github.com/Dolibarr/dolibarr https://www.swascan.com/blog https://www.swascan.com/security-advisory-dolibarr-17-0-0 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2022-43138
https://notcve.org/view.php?id=CVE-2022-43138
Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API. Dolibarr ERP y software de código abierto CRM for Business anterior a v14.0.1 permite a los atacantes escalar privilegios a través de una API manipulada. • https://www.exploit-db.com/exploits/50248 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-40871
https://notcve.org/view.php?id=CVE-2022-40871
Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval. Dolibarr ERP & CRM versiones anteriores a 15.0.3 incluyéndola, es vulnerable a una inyección de Eval. Por defecto, cualquier administrador puede ser añadido a la página de instalación de dolibarr, y si es añadido con éxito, puede insertarse código malicioso en la base de datos y luego ejecutarlo por eval • https://github.com/youncyb/dolibarr-rce • CWE-94: Improper Control of Generation of Code ('Code Injection') •