CVE-2018-9019 — SQL Injection in Dolibarr

CWE-89 — SQL Injection6 documents5 sources

Severity

9.8CRITICALNVD

EPSS

2.0%

top 16.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dolibarr Oracle Data Integrator

Timeline

PublishedMay 22

Latest updateMay 13

Description

SQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy/admin/journals_list.php, /admin/dict.php, /admin/mails_templates.php, or /admin/website.php.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDdolibarr/dolibarr< 7.0.2

▶Packagistdolibarr/dolibarr< 7.0.2

▶NVDoracle/data_integrator11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Dolibarr SQL Injection vulnerability↗2022-05-13

▶

GHSA

Dolibarr SQL Injection vulnerability↗2022-05-13

▶

OSV

CVE-2018-9019: SQL Injection vulnerability in Dolibarr before version 7↗2018-05-22

▶

CVEList

CVE-2018-9019: SQL Injection vulnerability in Dolibarr before version 7↗2018-05-22

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Rest Service (Dolibarr) — CVE-2018-9019↗2021-01-15

▶