Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2011-4802SQL Injection in ERP CRM

CWE-89SQL Injection6 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
2.6%
top 14.24%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Dolibarr ERP CRM
Timeline
PublishedDec 14
Latest updateMay 14

Description

Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) sortfield, (2) sortorder, and (3) sall parameters to user/index.php and (b) user/group/index.php; the id parameter to (4) info.php, (5) perms.php, (6) param_ihm.php, (7) note.php, and (8) fiche.php in user/; and (9) rowid parameter to admin/boxes.php.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages1 packages

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-m47c-vx53-g89g: Multiple SQL injection vulnerabilities in Dolibarr 32022-05-14
CVEList
CVE-2011-4802: Multiple SQL injection vulnerabilities in Dolibarr 32011-12-14

💥Exploits & PoCs

3
Exploit-DB
Dolibarr ERP/CRM 3.1.0 - '/admin/boxes.php?rowid' SQL Injection2011-11-23
Exploit-DB
Dolibarr ERP/CRM 3.1.0 - '/user/index.php' Multiple SQL Injections2011-11-23
Exploit-DB
Dolibarr ERP/CRM 3.1.0 - '/user/info.php?id' SQL Injection2011-11-23
CVE-2011-4802 — SQL Injection in Dolibarr ERP CRM | cvebase