cbcvebase.

Dolibarr vulnerabilities

114 known vulnerabilities affecting dolibarr/dolibarr.

Total CVEs
114
CISA KEV
0
Public exploits
9
Exploited in wild
0
Severity breakdown
CRITICAL27HIGH38MEDIUM47LOW2

Vulnerabilities

Page 1 of 6
CVE-2018-10094P2CRITICALCVSS 9.8PoCfixed in 7.0.22018-05-22
CVE-2018-10094 [CRITICAL] CWE-89 CVE-2018-10094: SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQ SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes.
ghsanvdosv
CVE-2023-30253P1HIGHPoC≥ 0, < 17.0.12023-05-29
CVE-2023-30253 [HIGH] CWE-78 Dolibarr vulnerable to remote code execution via uppercase manipulation Dolibarr vulnerable to remote code execution via uppercase manipulation Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.
ghsaosv
CVE-2024-5315P2CRITICALPoC≥ 0, ≤ 9.0.12024-05-24
CVE-2024-5315 [CRITICAL] CWE-89 Dolibarr vulnerable to SQL Injection Dolibarr vulnerable to SQL Injection Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters in /dolibarr/commande/list.php.
ghsaosv
CVE-2020-14209P2HIGHCVSS 8.8PoCfixed in 11.0.52020-09-02
CVE-2020-14209 [HIGH] CWE-434 CVE-2020-14209: Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arb Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism).
ghsanvdosv
CVE-2018-10095P3MEDIUMCVSS 6.1PoCfixed in 7.0.22018-05-22
CVE-2018-10095 [MEDIUM] CWE-79 CVE-2018-10095: Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php.
ghsanvdosv
CVE-2023-33568P2HIGHPoC≥ 16.0.0, < 16.0.52023-06-13
CVE-2023-33568 [HIGH] CWE-200 Dolibarr vulnerable to unauthenticated database access Dolibarr vulnerable to unauthenticated database access An issue in Dolibarr v16.0.0 to v16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.
ghsaosv
CVE-2023-4197P2HIGH≥ 0, < 18.0.22023-11-01
CVE-2023-4197 [HIGH] CWE-20 Dolibarr Improper Input Validation vulnerability Dolibarr Improper Input Validation vulnerability Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.
ghsaosv
CVE-2022-0819P2HIGH≥ 0, < 15.0.12022-03-03
CVE-2022-0819 [HIGH] CWE-94 Code injection in dolibarr/dolibarr Code injection in dolibarr/dolibarr Improper php function sanitization, lead to an ability to inject arbitrary PHP code and run arbitrary commands on file system. In the function "dol_eval" in file "dolibarr/htdocs/core/lib/functions.lib.php" dangerous PHP functions are sanitized using "str_replace" and can be bypassed using following code in $s parameter
ghsaosv
CVE-2022-40871P2CRITICAL≥ 0, ≤ 15.0.32022-10-12
CVE-2022-40871 [CRITICAL] CWE-94 Dolibarr vulnerable to Eval Injection Dolibarr vulnerable to Eval Injection Dolibarr ERP & CRM <=15.0.3 are vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.
ghsaosv
CVE-2018-25357P2CRITICAL≥ 7.0.0, < 7.0.4≥ 0, < 6.0.82026-05-26
CVE-2018-25357 [CRITICAL] CWE-94 Dolibarr ERP CRM contains a remote code evaluation vulnerability Dolibarr ERP CRM contains a remote code evaluation vulnerability Dolibarr ERP CRM 7.0.3 contains a remote code evaluation vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php end
ghsa
CVE-2012-1225P3HIGHCVSS 7.5PoC≥ 0, < 3.5.8+dfsg1-1ubuntu12012-02-21
CVE-2012-1225 [HIGH] CVE-2012-1225: Multiple SQL injection vulnerabilities in Dolibarr CMS 3 Multiple SQL injection vulnerabilities in Dolibarr CMS 3.2.0 Alpha and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) memberslist parameter (aka Member List) in list.php or (2) rowid parameter to adherents/fiche.php.
osv
CVE-2013-2093P2CRITICALCVSS 9.8v3.3.4-12019-11-20
CVE-2013-2093 [CRITICAL] CWE-20 CVE-2013-2093: Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php wh Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
nvdosv
CVE-2026-31019P2HIGH≥ 0, ≤ 22.0.42026-04-21
CVE-2026-31019 [HIGH] CWE-78 Dolibarr user with permission to edit PHP content can bypass filtering to restrict dangerous PHP functions Dolibarr user with permission to edit PHP content can bypass filtering to restrict dangerous PHP functions In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this
ghsa
CVE-2026-23500P2CRITICALCVSS 9.1fixed in 23.0.02026-04-17
CVE-2026-23500 [CRITICAL] CWE-78 CVE-2026-23500: Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) softwar Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inje
ghsanvd
CVE-2018-19799P3MEDIUMCVSS 6.1PoC≤ 8.0.32018-12-26
CVE-2018-19799 [MEDIUM] CWE-79 CVE-2018-19799: Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexport= XSS. Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexport= XSS.
ghsanvdosv
CVE-2023-38886P3HIGH≥ 0, < 17.0.12023-09-20
CVE-2023-38886 [HIGH] CWE-78 Dolibarr allows a remote privileged attacker to execute arbitrary code via a crafted command/script Dolibarr allows a remote privileged attacker to execute arbitrary code via a crafted command/script An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script.
ghsaosv
CVE-2013-2091P3CRITICALCVSS 9.8v3.3.12019-11-20
CVE-2013-2091 [CRITICAL] CWE-89 CVE-2013-2091: SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary S SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.
nvdosv
CVE-2022-4093P3CRITICAL≥ 16.0.1, < 16.0.32022-11-21
CVE-2022-4093 [CRITICAL] CWE-89 SQL injection in Dolibarr SQL injection in Dolibarr SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term comprom
ghsaosv
CVE-2018-9019P3CRITICALCVSS 9.8fixed in 7.0.22018-05-22
CVE-2018-9019 [CRITICAL] CWE-89 CVE-2018-9019: SQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbi SQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy/admin/journals_list.php, /admin/dict.php, /admin/mails_templates.php, or /admin/website.php.
ghsanvdosv
CVE-2021-33816P3CRITICAL≥ 13.0.2, < 14.0.02022-05-24
CVE-2021-33816 [CRITICAL] CWE-94 Dolibarr remote PHP code execution Dolibarr remote PHP code execution The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.
ghsaosv
Dolibarr vulnerabilities | cvebase