CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-17577
https://notcve.org/view.php?id=CVE-2019-17577
16 Oct 2019 — An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Email used for error returns emails (fields 'Errors-To' in emails sent)" field. Se descubrió un problema en Dolibarr versión 10.0.2. Presenta un vulnerabilidad de tipo XSS por medio de la funcionalidad "outgoing email setup" en el URI admin/mails.php? • https://mycvee.blogspot.com/p/cve-2019-17576.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-17578
https://notcve.org/view.php?id=CVE-2019-17578
16 Oct 2019 — An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Sender email for automatic emails (default value in php.ini: Undefined)" field. Se detectó un problema en Dolibarr versión 10.0.2. Presenta un vulnerabilidad de tipo XSS por medio de la funcionalidad "outgoing email setup" en el URI admin/mails.php? • https://mycvee.blogspot.com/p/cve-2019-17578.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-17223
https://notcve.org/view.php?id=CVE-2019-17223
15 Oct 2019 — There is HTML Injection in the Note field in Dolibarr ERP/CRM 10.0.2 via user/note.php. Se presenta inyección HTML en el campo Note en Dolibarr ERP/CRM versión 10.0.2 por medio del archivo user/note.php. • https://medium.com/%40k43p/cve-2019-17223-stored-html-injection-dolibarr-crm-erp-ad1e064d0ca5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16688
https://notcve.org/view.php?id=CVE-2019-16688
27 Sep 2019 — Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php. A user with no privileges can inject script to attack the admin. (This stored XSS can affect all types of user privilege from Admin to users with no permissions.) Dolibarr versión 9.0.5, presenta una vulnerabilidad de tipo XSS almacenado en una sección Email Template en el archivo mails_templates.php. Un usuario sin privilegios puede inyectar script para atacar al administrador. • http://verneet.com/cve-2019-16688 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16687
https://notcve.org/view.php?id=CVE-2019-16687
27 Sep 2019 — Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation. Dolibarr versión 9.0.5, presenta una vulnerabilidad de tipo XSS almacenado en un Perfil de Usuario en una sección Signature en el archivo card.php. Un usuario con el privilegio "Create/modify other users, groups and permissions" puede inyectar script y también puede alcanzar una escalada ... • http://verneet.com/cve-2019-16687 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16686
https://notcve.org/view.php?id=CVE-2019-16686
27 Sep 2019 — Dolibarr 9.0.5 has stored XSS in a User Note section to note.php. A user with no privileges can inject script to attack the admin. Dolibarr versión 9.0.5, presenta una vulnerabilidad de tipo XSS almacenado en una sección User Note en el archivo note.php. Un usuario sin privilegios puede inyectar script para atacar al administrador. • http://verneet.com/cve-2019-16686 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16685
https://notcve.org/view.php?id=CVE-2019-16685
27 Sep 2019 — Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation. Dolibarr versión 9.0.5, presenta una vulnerabilidad de tipo XSS almacenado por medio de una sección User Group Description en el archivo card.php. Un usuario con el privilegio "Create/modify other users, groups and permissions" puede inyectar script y también puede alcanzar una ... • http://verneet.com/cve-2019-16685 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2019-16197 – Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-16197
13 Sep 2019 — In htdocs/societe/card.php in Dolibarr 10.0.1, the value of the User-Agent HTTP header is copied into the HTML document as plain text between tags, leading to XSS. En el archivo htdocs/societe/card.php en Dolibarr versión 10.0.1, el valor del encabezado User-Agent de HTTP es copiado al documento HTML como texto plano entre etiquetas, conllevando a un XSS. Dolibarr ERP-CRM version 10.0.1 suffers from a user-agent cross site scripting vulnerability. • https://packetstorm.news/files/id/154481 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 2CVE-2019-15062
https://notcve.org/view.php?id=CVE-2019-15062
14 Aug 2019 — An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.) Se descubrió un problema en Dolibarr versión 11.0.0-alpha. • https://gauravnarwani.com/publications/CVE-2019-15062 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-11201
https://notcve.org/view.php?id=CVE-2019-11201
29 Jul 2019 — Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content. Thus, a lower privileged user of the application can execute code under the context and permissions of the underlying web server. Dolibarr ERP/CRM versión 9.... • https://know.bishopfox.com/advisories/dolibarr-version-9-0-1-vulnerabilities • CWE-94: Improper Control of Generation of Code ('Code Injection') •