CVE-2017-7887 – Dolibarr 4.0.4 SQL Injection / XSS / Weaknesses
https://notcve.org/view.php?id=CVE-2017-7887
Dolibarr ERP/CRM 4.0.4 has XSS in doli/societe/list.php via the sall parameter. Dolibarr ERP / CRM 4.0.4 tiene un XSS en doli / societe / list.php a través del parámetro sall Dolibarr version 4.0.4 suffers from cross site scripting, weak hashing, weak password change, and remote SQL injection vulnerabilities. • https://www.foxmole.com/advisories/foxmole-2017-02-23.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-7888 – Dolibarr 4.0.4 SQL Injection / XSS / Weaknesses
https://notcve.org/view.php?id=CVE-2017-7888
Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier. Dolibarr ERP / CRM 4.0.4 almacena contraseñas con el algoritmo MD5, lo que facilita los ataques de fuerza bruta. Dolibarr version 4.0.4 suffers from cross site scripting, weak hashing, weak password change, and remote SQL injection vulnerabilities. • https://www.foxmole.com/advisories/foxmole-2017-02-23.txt • CWE-326: Inadequate Encryption Strength •
CVE-2017-8879 – Dolibarr 4.0.4 SQL Injection / XSS / Weaknesses
https://notcve.org/view.php?id=CVE-2017-8879
Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes it easier for physically proximate attackers to obtain access via an unattended workstation. Dolibarr ERP/CRM 4.0.4 permite cambios de contraseña sin proporcionar la contraseña actual, lo que facilita a los atacantes físicamente cerca obtener acceso a través de una estación de trabajo desatendida. Dolibarr version 4.0.4 suffers from cross site scripting, weak hashing, weak password change, and remote SQL injection vulnerabilities. • https://www.foxmole.com/advisories/foxmole-2017-02-23.txt • CWE-287: Improper Authentication •
CVE-2016-1912
https://notcve.org/view.php?id=CVE-2016-1912
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) lastname, (2) firstname, (3) email, (4) job, or (5) signature parameter to htdocs/user/card.php. Múltiples vulnerabilidades de XSS en Dolibarr ERP/CRM 3.8.3 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) lastname, (2) firstname, (3) email, (4) job o (5) signature en htdocs/user/card.php. • http://packetstormsecurity.com/files/135201/Dolibarr-3.8.3-Cross-Site-Scripting.html http://www.information-security.fr/xss-dolibarr-version-3-8-3 https://github.com/Dolibarr/dolibarr/issues/4341 https://github.com/GPCsolutions/dolibarr/commit/0d3181324c816bdf664ca5e1548dfe8eb05c54f8 https://twitter.com/MickaelDorigny/status/684456187870457857 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-8685 – dolibarr HTML Injection
https://notcve.org/view.php?id=CVE-2015-8685
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) external calendar url or (2) the bank name field in the "import external calendar" page. Múltiples vulnerabilidades de XSS en Dolibarr ERP/CRM 3.8.3 y versiones anteriores permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de (1) la url de calendario externa o (2) el campo bank name en la página "import external calendar". dolibarr versions prior to 3.8.3 suffer from an html injection vulnerability. • http://packetstormsecurity.com/files/135256/dolibarr-HTML-Injection.html http://seclists.org/fulldisclosure/2016/Jan/40 https://github.com/Dolibarr/dolibarr/issues/4291 https://github.com/GPCsolutions/dolibarr/commit/0d3181324c816bdf664ca5e1548dfe8eb05c54f8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •