cbcvebase.

Dolibarr Erp Crm vulnerabilities

107 known vulnerabilities affecting dolibarr/dolibarr_erp_crm.

Total CVEs
107
CISA KEV
0
Public exploits
10
Exploited in wild
0
Severity breakdown
CRITICAL25HIGH32MEDIUM50

Vulnerabilities

Page 1 of 6
CVE-2023-30253P1HIGHCVSS 8.8PoCfixed in 17.0.12023-05-29
CVE-2023-30253 [HIGH] CWE-78 CVE-2023-30253: Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipu Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.
nvd
CVE-2024-5315P2CRITICALCVSS 9.1PoCv9.0.12024-05-24
CVE-2024-5315 [CRITICAL] CWE-89 CVE-2024-5315: Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulne Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters viewstatut in /dolibarr/commande/list.php.
nvd
CVE-2023-33568P2HIGHCVSS 7.5PoC≥ 16.0.0, < 16.0.52023-06-13
CVE-2023-33568 [HIGH] CWE-552 CVE-2023-33568: An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump an An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.
nvd
CVE-2012-1226P3HIGHCVSS 7.5PoCv3.2.02012-02-21
CVE-2012-1226 [HIGH] CWE-22 CVE-2012-1226: Multiple directory traversal vulnerabilities in Dolibarr CMS 3.2.0 Alpha allow remote attackers to r Multiple directory traversal vulnerabilities in Dolibarr CMS 3.2.0 Alpha allow remote attackers to read arbitrary files and possibly execute arbitrary code via a .. (dot dot) in the (1) file parameter to document.php or (2) backtopage parameter in a create action to comm/action/fiche.php.
nvd
CVE-2023-4197P2HIGHCVSS 8.8≤ 18.0.12023-11-01
CVE-2023-4197 [HIGH] CWE-20 CVE-2023-4197: Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-s Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.
nvd
CVE-2022-0819P2HIGHCVSS 8.8fixed in 15.0.12022-03-02
CVE-2022-0819 [HIGH] CWE-94 CVE-2022-0819: Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1. Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.
nvd
CVE-2022-40871P2CRITICALCVSS 9.8≤ 15.0.32022-10-12
CVE-2022-40871 [CRITICAL] CWE-94 CVE-2022-40871: Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be ad Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.
nvd
CVE-2018-25357P2CRITICALCVSS 9.8≤ 7.0.32026-05-23
CVE-2018-25357 [CRITICAL] CWE-94 CVE-2018-25357: Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated at Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the
cvelistv5nvd
CVE-2026-22666P2HIGHCVSS 7.2fixed in 23.0.22026-04-07
CVE-2026-22666 [HIGH] CWE-95 CVE-2026-22666: Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerabili Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can inject malicious payloads through computed extrafields or ot
nvd
CVE-2012-1225P3HIGHCVSS 7.5PoC≤ 3.2.0v2.5.0+10 more2012-02-21
CVE-2012-1225 [HIGH] CWE-89 CVE-2012-1225: Multiple SQL injection vulnerabilities in Dolibarr CMS 3.2.0 Alpha and earlier allow remote authenti Multiple SQL injection vulnerabilities in Dolibarr CMS 3.2.0 Alpha and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) memberslist parameter (aka Member List) in list.php or (2) rowid parameter to adherents/fiche.php.
nvd
CVE-2026-31019P2HIGHCVSS 8.8≤ 22.0.42026-04-21
CVE-2026-31019 [HIGH] CWE-78 CVE-2026-31019: In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based f In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code execution with the ability to execute arbitrary operating
nvd
CVE-2011-4802P3MEDIUMCVSS 6.5PoC≤ 3.1.0v2.5.0+9 more2011-12-14
CVE-2011-4802 [MEDIUM] CWE-89 CVE-2011-4802: Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote authen Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) sortfield, (2) sortorder, and (3) sall parameters to user/index.php and (b) user/group/index.php; the id parameter to (4) info.php, (5) perms.php, (6) param_ihm.php, (7) note.php, and (8) fiche.
nvd
CVE-2013-2093P2CRITICALCVSS 9.8v3.3.12019-11-20
CVE-2013-2093 [CRITICAL] CWE-20 CVE-2013-2093: Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php wh Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
nvd
CVE-2023-38886P3HIGHCVSS 7.2≤ 17.0.12023-09-20
CVE-2023-38886 [HIGH] CWE-78 CVE-2023-38886: An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbi An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script.
nvd
CVE-2026-23500P2CRITICALCVSS 9.1fixed in 23.0.02026-04-17
CVE-2026-23500 [CRITICAL] CWE-78 CVE-2026-23500: Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) softwar Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inje
nvd
CVE-2022-4093P3CRITICALCVSS 9.8v16.0.1v16.0.22022-11-21
CVE-2022-4093 [CRITICAL] CWE-89 CVE-2022-4093: SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor
nvd
CVE-2014-3992P3MEDIUMCVSS 6.5PoCv3.5.32014-07-11
CVE-2014-3992 [MEDIUM] CWE-89 CVE-2014-3992: Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote authenticated users to Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote authenticated users to execute arbitrary SQL commands via the (1) entity parameter in an update action to user/fiche.php or (2) sortorder parameter to user/group/index.php.
nvd
CVE-2021-33816P3CRITICALCVSS 9.8v13.0.22021-11-10
CVE-2021-33816 [CRITICAL] CWE-94 CVE-2021-33816: The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incompl The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.
nvd
CVE-2013-2091P3CRITICALCVSS 9.8v3.3.12019-11-20
CVE-2013-2091 [CRITICAL] CWE-89 CVE-2013-2091: SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary S SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.
nvd
CVE-2022-0224P3CRITICALCVSS 9.8fixed in 15.0.02022-01-14
CVE-2022-0224 [CRITICAL] CWE-89 CVE-2022-0224: dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
nvd
Dolibarr Erp Crm vulnerabilities | cvebase