CVSS: 6.1EPSS: 2%CPEs: 2EXPL: 4CVE-2015-3935 – Dolibarr 3.5 / 3.6 HTML Injection
https://notcve.org/view.php?id=CVE-2015-3935
30 May 2015 — Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5 and 3.6 allow remote attackers to inject arbitrary web script or HTML via the Business Search (search_nom) field to (1) htdocs/societe/societe.php or (2) htdocs/societe/admin/societe.php. Múltiples vulnerabilidades de XSS en Dolibarr ERP/CRM 3.5 y 3.6 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del campo Business Search (search_nom) para (1) htdocs/societe/societe.php o (2) htdocs/soc... • https://packetstorm.news/files/id/132108 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 3CVE-2014-7137 – Dolibarr ERP and CRM 3.5.3 SQL Injection
https://notcve.org/view.php?id=CVE-2014-7137
19 Nov 2014 — Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4) lineid parameter in a deletecontact action, (5) ligne parameter in a swapstatut action, or (6) ref parameter to projet/contact.php; (7) id parameter to compta/bank/fiche.php, (8) contact/info.php, (9) holiday/i... • https://packetstorm.news/files/id/129175 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •