CVSS: 9.8EPSS: 92%CPEs: 1EXPL: 5CVE-2018-10094 – Dolibarr ERP/CRM 7.0.0 - (Authenticated) SQL Injection
https://notcve.org/view.php?id=CVE-2018-10094
22 May 2018 — SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes. Vulnerabilidad de inyección SQL en Dolibarr en versiones anteriores a la 7.0.2 permite que los atacantes remotos ejecuten comandos SQL arbitrarios mediante vectores relacionados con los parámetros de enteros sin comillas. Dolibarr version 7.00 suffers from a remote SQL injection vulnerability. • https://packetstorm.news/files/id/180688 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14242
https://notcve.org/view.php?id=CVE-2017-14242
11 Sep 2017 — SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the statut parameter. Una vulnerabilidad de inyección SQL en don/list.php en Dolibarr 6.0.0 permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el parámetro statut. • https://github.com/Dolibarr/dolibarr/commit/33e2179b65331d9d9179b59d746817c5be1fecdb • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14238
https://notcve.org/view.php?id=CVE-2017-14238
11 Sep 2017 — SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the menuId parameter. Una vulnerabilidad de inyección SQL en admin/menus/edit.php en Dolibarr ERP/CRM 6.0.0 permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el parámetro menuid. • https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14239
https://notcve.org/view.php?id=CVE-2017-14239
11 Sep 2017 — Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 6.0.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) CompanyName, (2) CompanyAddress, (3) CompanyZip, (4) CompanyTown, (5) Fax, (6) EMail, (7) Web, (8) ManagingDirectors, (9) Note, (10) Capital, (11) ProfId1, (12) ProfId2, (13) ProfId3, (14) ProfId4, (15) ProfId5, or (16) ProfId6 parameter to htdocs/admin/company.php. Existen múltiples vulnerabilidades de tipo Cross-Site Scripting (XSS) en Dolibarr E... • https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14241
https://notcve.org/view.php?id=CVE-2017-14241
11 Sep 2017 — Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0 allows remote authenticated users to inject arbitrary web script or HTML via the Title parameter to htdocs/admin/menus/edit.php. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en Dolibarr ERP/CRM 6.0.0 permite que usuarios autenticados remotos inyecten scripts web o HTML arbitrarios mediante el parámetro Title en htdocs/admin/menus/edit.php. • https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14240
https://notcve.org/view.php?id=CVE-2017-14240
11 Sep 2017 — There is a sensitive information disclosure vulnerability in document.php in Dolibarr ERP/CRM version 6.0.0 via the file parameter. Existe una vulnerabilidad de revelación de información sensible en document.php en Dolibarr ERP/CRM 6.0.0 mediante el parámetro file. • https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9840
https://notcve.org/view.php?id=CVE-2017-9840
25 Jun 2017 — Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application. Dolibarr ERP/CRM 5.0.3 y anteriores permite a usuarios con pocos privilegios subir archivos de tipos peligrosos, lo que puede resultar en la ejecución de código arbitrario dentro del contexto de la aplicación vulnerable. • https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-009 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9435
https://notcve.org/view.php?id=CVE-2017-9435
05 Jun 2017 — Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters). El ERP/CRM Dolibarr anterior a versión 5.0.3, es vulnerable a una inyección SQL en el archivo user/index.php (parámetros search_supervisor y search_statut). • https://github.com/Dolibarr/dolibarr/blob/develop/ChangeLog • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 3CVE-2016-1912
https://notcve.org/view.php?id=CVE-2016-1912
15 Jan 2016 — Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) lastname, (2) firstname, (3) email, (4) job, or (5) signature parameter to htdocs/user/card.php. Múltiples vulnerabilidades de XSS en Dolibarr ERP/CRM 3.8.3 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) lastname, (2) firstname, (3) email, (4) job o (5) signature en htdocs/... • http://packetstormsecurity.com/files/135201/Dolibarr-3.8.3-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2015-8685 – dolibarr HTML Injection
https://notcve.org/view.php?id=CVE-2015-8685
13 Jan 2016 — Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) external calendar url or (2) the bank name field in the "import external calendar" page. Múltiples vulnerabilidades de XSS en Dolibarr ERP/CRM 3.8.3 y versiones anteriores permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de (1) la url de calendario externa o (2) el campo bank name en la página "import e... • https://packetstorm.news/files/id/135256 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •