CVE-2024-5315 – Multiple vulnerabilities in DOLIBARR's ERP CMS
https://notcve.org/view.php?id=CVE-2024-5315
Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters viewstatut in /dolibarr/commande/list.php. Vulnerabilidades en Dolibarr ERP - CRM que afectan a la versión 9.0.1 y permiten inyección SQL. Estas vulnerabilidades podrían permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al sistema y recuperar toda la información almacenada en la base de datos a través de los parámetros viewstatut en /dolibarr/commande/list.php. • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-dolibarrs-erp-cms • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2024-5314 – Multiple vulnerabilities in DOLIBARR's ERP CMS
https://notcve.org/view.php?id=CVE-2024-5314
Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters sortorder y sortfield in /dolibarr/admin/dict.php. Vulnerabilidades en Dolibarr ERP - CRM que afectan a la versión 9.0.1 y permiten inyección SQL. Estas vulnerabilidades podrían permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al sistema y recuperar toda la información almacenada en la base de datos a través de los parámetros sortorder y sortfield en /dolibarr/admin/dict.php. • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-dolibarrs-erp-cms • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2024-23817 – Dolibarr Application Home Page HTML injection vulnerability
https://notcve.org/view.php?id=CVE-2024-23817
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr App Home page HTML code. This behavior can be exploited to perform various attacks like Cross-Site Scripting (XSS). • https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-7947-48q7-cp5m • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2023-4198 – Dolibarr ERP CRM (<= 17.0.3) Improper Access Control
https://notcve.org/view.php?id=CVE-2023-4198
Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data El control de acceso inadecuado en Dolibarr ERP CRM versiones <= 17.0.3 permite a un usuario autenticado no autorizado leer una tabla de base de datos que contiene datos del cliente • https://github.com/Dolibarr/dolibarr/commit/3065b9ca6ade988e8d7a8a8550415c0abb56b9cb#diff-7d68365a708c954051853ade884c7e97c6ff13150ee92657d6ffc8603e0f947b https://starlabs.sg/advisories/23/23-4198 • CWE-862: Missing Authorization •
CVE-2023-4197 – Dolibarr ERP CRM (<= 18.0.1) Improper Input Sanitization Authenticated RCE
https://notcve.org/view.php?id=CVE-2023-4197
Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code. La validación de entrada incorrecta en Dolibarr ERP CRM versiones <= 18.0.1 no elimina cierto código PHP de la entrada proporcionada por el usuario al crear un sitio web, lo que permite a un atacante inyectar y evaluar código PHP arbitrario. • https://github.com/alien-keric/CVE-2023-4197 https://github.com/Dolibarr/dolibarr/commit/0ed6a63fb06be88be5a4f8bcdee83185eee4087e https://starlabs.sg/advisories/23/23-4197 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •