CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55227
https://notcve.org/view.php?id=CVE-2024-55227
27 Jan 2025 — A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter. • https://gist.github.com/Dqtdqt/9762466cd6ec541ea265ba33b09489ff • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55228
https://notcve.org/view.php?id=CVE-2024-55228
27 Jan 2025 — A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter. • https://gist.github.com/Dqtdqt/a942bbce9a5fc851dce366902411c768 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40137
https://notcve.org/view.php?id=CVE-2024-40137
24 Jul 2024 — Dolibarr ERP CRM before 19.0.2-php8.2 was discovered to contain a remote code execution (RCE) vulnerability via the Computed field parameter under the Users Module Setup function. • https://github.com/c0d3x27/CVEs/tree/main/CVE-2024-40137 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37821
https://notcve.org/view.php?id=CVE-2024-37821
18 Jun 2024 — An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file. Una vulnerabilidad de carga de archivos arbitrarios en la función Cargar plantilla de Dolibarr ERP CRM hasta v19.0.1 permite a los atacantes ejecutar código arbitrario cargando un archivo .SQL manipulado. • http://dolibarr.com • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31503
https://notcve.org/view.php?id=CVE-2024-31503
16 Apr 2024 — Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover. El control de acceso incorrecto en las versiones 19.0.0 y anteriores de Dolibarr ERP CRM permite a atacantes autenticados robar cookies de sesión de los usuarios víctimas y tokens de protección CSRF a través de la interacción del usuario con una página web manipulada... • https://github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-31503.md • CWE-284: Improper Access Control •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-23817 – Dolibarr Application Home Page HTML injection vulnerability
https://notcve.org/view.php?id=CVE-2024-23817
25 Jan 2024 — Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr App Home pag... • https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-7947-48q7-cp5m • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4198 – Dolibarr ERP CRM (<= 17.0.3) Improper Access Control
https://notcve.org/view.php?id=CVE-2023-4198
01 Nov 2023 — Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data El control de acceso inadecuado en Dolibarr ERP CRM versiones <= 17.0.3 permite a un usuario autenticado no autorizado leer una tabla de base de datos que contiene datos del cliente • https://github.com/Dolibarr/dolibarr/commit/3065b9ca6ade988e8d7a8a8550415c0abb56b9cb#diff-7d68365a708c954051853ade884c7e97c6ff13150ee92657d6ffc8603e0f947b • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 13%CPEs: 1EXPL: 1CVE-2023-4197 – Dolibarr ERP CRM (<= 18.0.1) Improper Input Sanitization Authenticated RCE
https://notcve.org/view.php?id=CVE-2023-4197
01 Nov 2023 — Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code. La validación de entrada incorrecta en Dolibarr ERP CRM versiones <= 18.0.1 no elimina cierto código PHP de la entrada proporcionada por el usuario al crear un sitio web, lo que permite a un atacante inyectar y evaluar código PHP arbitrario. • https://github.com/alien-keric/CVE-2023-4197 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5842 – Cross-site Scripting (XSS) - Stored in dolibarr/dolibarr
https://notcve.org/view.php?id=CVE-2023-5842
30 Oct 2023 — Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5. Cross-Site Scripting (XSS) Almacenado en el repositorio de GitHub dolibarr/dolibarr anterior a 16.0.5. • https://github.com/dolibarr/dolibarr/commit/f569048eb2bd823525bce4ef52316e7a83e3345c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5323 – Cross-site Scripting (XSS) - Generic in dolibarr/dolibarr
https://notcve.org/view.php?id=CVE-2023-5323
01 Oct 2023 — Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0. Cross-Site Scripting (XSS) Genérico en el repositorio de GitHub dolibarr/dolibarr anterior a la versión 18.0. • https://github.com/dolibarr/dolibarr/commit/695ca086847b3b6a185afa93e897972c93c43d15 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •