CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11823
https://notcve.org/view.php?id=CVE-2020-11823
In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to stealing of the admin account. En Dolibarr versión 10.0.6, si USER_LOGIN_FAILED está activo, hay una vulnerabilidad de tipo XSS almacenado en las herramientas de administración --) audit page. Esto puede conllevar al robo de la cuenta de administrador. • https://fatihhcelik.blogspot.com/2020/04/dolibarr-stored-xss.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-9016
https://notcve.org/view.php?id=CVE-2020-9016
Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header. Dolibarr versión 11.0, permite un ataque de tipo XSS por medio de los parámetros joinfiles, topic, o code, o el encabezado Referer HTTP. • https://code610.blogspot.com/2020/02/this-time-i-tried-to-check-one-of.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2020-7994
https://notcve.org/view.php?id=CVE-2020-7994
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) name[constname] parameter to the /htdocs/admin/const.php?mainmenu=home page; the (3) note[note] parameter to the /htdocs/admin/dict.php?id=10 page; the (4) zip[MAIN_INFO_SOCIETE_ZIP] or email[mail] parameter to the /htdocs/admin/company.php page; the (5) url[defaulturl], field[defaultkey], or value[defaultvalue] parameter to the /htdocs/admin/defaultvalues.php page; the (6) key[transkey] or key[transvalue] parameter to the /htdocs/admin/translation.php page; or the (7) [main_motd] or [main_home] parameter to the /htdocs/admin/ihm.php page. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en Dolibarr versión 10.0.6, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio del (1) parámetro label[libelle] en la página /htdocs/admin/dict.php? • https://github.com/tufangungor/tufangungor.github.io/blob/master/0days.md https://tufangungor.github.io/0days • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 18%CPEs: 1EXPL: 1CVE-2020-7995 – Dolibarr ERP/CRM 10.0.6 Login Brute Forcer
https://notcve.org/view.php?id=CVE-2020-7995
The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts. La página de inicio de sesión htdocs/index.php?mainmenu=home en Dolibarr versión 10.0.6, permite una tasa ilimitada de intentos de autenticación fallidos. • http://packetstormsecurity.com/files/163541/Dolibarr-ERP-CRM-10.0.6-Login-Brute-Forcer.html https://github.com/tufangungor/tufangungor.github.io/blob/master/_posts/2020-01-19-dolibarr-10.0.6-brute-force.md https://tufangungor.github.io/exploit/2020/01/18/dolibarr-10.0.6-brute-force.html • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2020-7996
https://notcve.org/view.php?id=CVE-2020-7996
htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header. El archivo htdocs/user/passwordforgotten.php en Dolibarr versión 10.0.6, permite un ataque de tipo XSS por medio del encabezado HTTP Referer. • https://github.com/tufangungor/tufangungor.github.io/blob/master/_posts/2020-01-19-dolibarr-10.0.6-xss-in-http-header.md https://tufangungor.github.io/exploit/2020/01/18/dolibarr-10.0.6-xss-in-http-header.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •