CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-23817 – Dolibarr Application Home Page HTML injection vulnerability
https://notcve.org/view.php?id=CVE-2024-23817
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr App Home page HTML code. This behavior can be exploited to perform various attacks like Cross-Site Scripting (XSS). • https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-7947-48q7-cp5m • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4198 – Dolibarr ERP CRM (<= 17.0.3) Improper Access Control
https://notcve.org/view.php?id=CVE-2023-4198
Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data El control de acceso inadecuado en Dolibarr ERP CRM versiones <= 17.0.3 permite a un usuario autenticado no autorizado leer una tabla de base de datos que contiene datos del cliente • https://github.com/Dolibarr/dolibarr/commit/3065b9ca6ade988e8d7a8a8550415c0abb56b9cb#diff-7d68365a708c954051853ade884c7e97c6ff13150ee92657d6ffc8603e0f947b https://starlabs.sg/advisories/23/23-4198 • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4197 – Dolibarr ERP CRM (<= 18.0.1) Improper Input Sanitization Authenticated RCE
https://notcve.org/view.php?id=CVE-2023-4197
Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code. La validación de entrada incorrecta en Dolibarr ERP CRM versiones <= 18.0.1 no elimina cierto código PHP de la entrada proporcionada por el usuario al crear un sitio web, lo que permite a un atacante inyectar y evaluar código PHP arbitrario. • https://github.com/alien-keric/CVE-2023-4197 https://github.com/Dolibarr/dolibarr/commit/0ed6a63fb06be88be5a4f8bcdee83185eee4087e https://starlabs.sg/advisories/23/23-4197 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5842 – Cross-site Scripting (XSS) - Stored in dolibarr/dolibarr
https://notcve.org/view.php?id=CVE-2023-5842
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5. Cross-Site Scripting (XSS) Almacenado en el repositorio de GitHub dolibarr/dolibarr anterior a 16.0.5. • https://github.com/dolibarr/dolibarr/commit/f569048eb2bd823525bce4ef52316e7a83e3345c https://huntr.com/bounties/aed81114-5952-46f5-ae3a-e66518e98ba3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5323 – Cross-site Scripting (XSS) - Generic in dolibarr/dolibarr
https://notcve.org/view.php?id=CVE-2023-5323
Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0. Cross-Site Scripting (XSS) Genérico en el repositorio de GitHub dolibarr/dolibarr anterior a la versión 18.0. • https://github.com/dolibarr/dolibarr/commit/695ca086847b3b6a185afa93e897972c93c43d15 https://huntr.dev/bounties/7a048bb7-bfdd-4299-931e-9bc283e92bc8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •