CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4766 – dolibarr_project_timesheet Form cross-site request forgery
https://notcve.org/view.php?id=CVE-2022-4766
A vulnerability was found in dolibarr_project_timesheet up to 4.5.5. It has been declared as problematic. This vulnerability affects unknown code of the component Form Handler. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. • https://github.com/delcroip/dolibarr_project_timesheet/commit/082282e9dab43963e6c8f03cfaddd7921de377f4 https://github.com/delcroip/dolibarr_project_timesheet/pull/200 https://github.com/delcroip/dolibarr_project_timesheet/releases/tag/4.5.6.a https://vuldb.com/?ctiid.216880 https://vuldb.com/?id.216880 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-4093 – SQL Injection in dolibarr/dolibarr
https://notcve.org/view.php?id=CVE-2022-4093
SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period. This affect 16.0.1 and 16.0.2 only. 16.0.0 or lower, and 16.0.3 or higher are not affected Los ataques de inyección SQL pueden dar lugar a un acceso no autorizado a datos sensibles, como contraseñas, datos de tarjetas de crédito o información personal del usuario. Muchas violaciones de datos de alto perfil en los últimos años han sido el resultado de ataques de inyección SQL, lo que ha provocado daños a la reputación y multas de organismos reguladores. • https://github.com/dolibarr/dolibarr/commit/7c1eac9774bd1fed0b7b4594159f2ac2d12a4011 https://huntr.dev/bounties/677ca8ee-ffbc-4b39-b294-2ce81bd56788 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2022-43138
https://notcve.org/view.php?id=CVE-2022-43138
Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API. Dolibarr ERP y software de código abierto CRM for Business anterior a v14.0.1 permite a los atacantes escalar privilegios a través de una API manipulada. • https://www.exploit-db.com/exploits/50248 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-40871
https://notcve.org/view.php?id=CVE-2022-40871
Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval. Dolibarr ERP & CRM versiones anteriores a 15.0.3 incluyéndola, es vulnerable a una inyección de Eval. Por defecto, cualquier administrador puede ser añadido a la página de instalación de dolibarr, y si es añadido con éxito, puede insertarse código malicioso en la base de datos y luego ejecutarlo por eval • https://github.com/youncyb/dolibarr-rce • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2060 – Cross-site Scripting (XSS) - Stored in dolibarr/dolibarr
https://notcve.org/view.php?id=CVE-2022-2060
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0. Una vulnerabilidad de tipo Cross-site Scripting (XSS) - Almacenado en el repositorio de GitHub dolibarr/dolibarr versiones anteriores a 16.0 • https://github.com/dolibarr/dolibarr/commit/2b5b9957c3010a5db9d1988c2efe5b209b16b47f https://huntr.dev/bounties/2acfc8fe-247c-4f88-aeaa-042b6b8690a0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •