CVSS: 6.1EPSS: 95%CPEs: 1EXPL: 0CVE-2018-10095 – Dolibarr 7.0.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-10095
Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php. Una vulnerabilidad de Cross-Site Scripting (XSS) en Dolibarr, en versiones anteriores a la 7.0.2, permite que atacantes remotos inyecten scripts web o HTML mediante el parámetro foruserlogin en adherents/cartes/carte.php. Dolibarr version 7.0.0 suffers from a cross site scripting vulnerability. • http://www.openwall.com/lists/oss-security/2018/05/21/3 https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLog https://github.com/Dolibarr/dolibarr/commit/1dc466e1fb687cfe647de4af891720419823ed56 https://sysdream.com/news/lab/2018-05-21-cve-2018-10095-dolibarr-xss-injection-vulnerability • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 90%CPEs: 1EXPL: 3CVE-2018-10094 – Dolibarr ERP/CRM 7.0.0 - (Authenticated) SQL Injection
https://notcve.org/view.php?id=CVE-2018-10094
SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes. Vulnerabilidad de inyección SQL en Dolibarr en versiones anteriores a la 7.0.2 permite que los atacantes remotos ejecuten comandos SQL arbitrarios mediante vectores relacionados con los parámetros de enteros sin comillas. Dolibarr version 7.00 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/44805 http://www.openwall.com/lists/oss-security/2018/05/21/1 https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLog https://github.com/Dolibarr/dolibarr/commit/7ade4e37f24d6859987bb9f6232f604325633fdd https://sysdream.com/news/lab/2018-05-21-cve-2018-10094-dolibarr-sql-injection-vulnerability • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 2CVE-2018-10092 – Dolibarr 7.0.0 Admin Panel Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-10092
The admin panel in Dolibarr before 7.0.2 might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file uploads. El panel de administrador en Dolibarr en versiones anteriores a la 7.0.2 podría permitir que atacantes remotos ejecuten comandos arbitrarios aprovechando el soporte para actualizar el comando y los parámetros del antivirus empleados para escanear las subidas de archivos. Dolibarr version 7.0.0 suffers from a remote code execution vulnerability. • http://www.openwall.com/lists/oss-security/2018/05/21/2 https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLog https://github.com/Dolibarr/dolibarr/commit/5d121b2d3ae2a95abebc9dc31e4782cbc61a1f39 https://sysdream.com/news/lab/2018-05-21-cve-2018-10092-dolibarr-admin-panel-authenticated-remote-code-execution-rce-vulnerability • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2018-9019
https://notcve.org/view.php?id=CVE-2018-9019
SQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy/admin/journals_list.php, /admin/dict.php, /admin/mails_templates.php, or /admin/website.php. Vulnerabilidad de inyección SQL en Dolibarr en versiones anteriores a la 7.0.2 permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el parámetro sortfield en /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy/admin/journals_list.php, /admin/dict.php, /admin/mails_templates.php o /admin/website.php. • https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLog https://github.com/Dolibarr/dolibarr/commit/83b762b681c6dfdceb809d26ce95f3667b614739 https://www.oracle.com/security-alerts/cpujan2021.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9840
https://notcve.org/view.php?id=CVE-2017-9840
Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application. Dolibarr ERP/CRM 5.0.3 y anteriores permite a usuarios con pocos privilegios subir archivos de tipos peligrosos, lo que puede resultar en la ejecución de código arbitrario dentro del contexto de la aplicación vulnerable. • https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-009 • CWE-434: Unrestricted Upload of File with Dangerous Type •