CVSS: 9.4EPSS: 0%CPEs: 2EXPL: 4CVE-2012-10059 – Dolibarr ERP/CRM Post-Auth OS Command Injection
https://notcve.org/view.php?id=CVE-2012-10059
13 Aug 2025 — Dolibarr ERP/CRM versions <= 3.1.1 and <= 3.2.0 contain a post-authenticated OS command injection vulnerability in its database backup feature. The export.php script fails to sanitize the sql_compat parameter, allowing authenticated users to inject arbitrary system commands, resulting in remote code execution on the server. • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/dolibarr_cmd_exec.rb • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4766 – dolibarr_project_timesheet Form cross-site request forgery
https://notcve.org/view.php?id=CVE-2022-4766
27 Dec 2022 — A vulnerability was found in dolibarr_project_timesheet up to 4.5.5. It has been declared as problematic. This vulnerability affects unknown code of the component Form Handler. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. • https://github.com/delcroip/dolibarr_project_timesheet/commit/082282e9dab43963e6c8f03cfaddd7921de377f4 • CWE-352: Cross-Site Request Forgery (CSRF) •