cbcvebase.

Dolibarr Erp Crm vulnerabilities

107 known vulnerabilities affecting dolibarr/dolibarr_erp_crm.

Total CVEs
107
CISA KEV
0
Public exploits
10
Exploited in wild
0
Severity breakdown
CRITICAL25HIGH32MEDIUM50

Vulnerabilities

Page 2 of 6
CVE-2017-17900P3CRITICALCVSS 9.8v6.0.42017-12-27
CVE-2017-17900 [CRITICAL] CWE-89 CVE-2017-17900: SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attac SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the socid parameter.
nvd
CVE-2017-17899P3CRITICALCVSS 9.8v6.0.42017-12-27
CVE-2017-17899 [CRITICAL] CWE-89 CVE-2017-17899: SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 all SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter.
nvd
CVE-2018-13447P3CRITICALCVSS 9.8v7.0.32018-07-08
CVE-2018-13447 [CRITICAL] CWE-89 CVE-2018-13447: SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote atta SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut parameter.
nvd
CVE-2018-13448P3CRITICALCVSS 9.8v7.0.32018-07-08
CVE-2018-13448 [CRITICAL] CWE-89 CVE-2018-13448: SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote atta SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the country_id parameter.
nvd
CVE-2018-13450P3CRITICALCVSS 9.8v7.0.32018-07-08
CVE-2018-13450 [CRITICAL] CWE-89 CVE-2018-13450: SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote atta SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the status_batch parameter.
nvd
CVE-2018-13449P3CRITICALCVSS 9.8v7.0.32018-07-08
CVE-2018-13449 [CRITICAL] CWE-89 CVE-2018-13449: SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote atta SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut_buy parameter.
nvd
CVE-2024-5314P3CRITICALCVSS 9.1v9.0.12024-05-24
CVE-2024-5314 [CRITICAL] CWE-89 CVE-2024-5314: Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulne Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters sortorder y sortfield in /dolibarr/admin/dict.php.
nvd
CVE-2019-16197P3MEDIUMCVSS 6.1PoCv10.0.12019-09-16
CVE-2019-16197 [MEDIUM] CWE-79 CVE-2019-16197: In htdocs/societe/card.php in Dolibarr 10.0.1, the value of the User-Agent HTTP header is copied int In htdocs/societe/card.php in Dolibarr 10.0.1, the value of the User-Agent HTTP header is copied into the HTML document as plain text between tags, leading to XSS.
nvd
CVE-2019-25710P3CRITICALCVSS 9.1≤ 8.0.42026-04-12
CVE-2019-25710 [CRITICAL] CWE-89 CVE-2019-25710: Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin d Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques.
nvd
CVE-2021-33618P3MEDIUMCVSS 6.1v13.0.22021-11-10
CVE-2021-33618 [MEDIUM] CWE-79 CVE-2021-33618: Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of a BODY element to the user-management feature.
nvd
CVE-2019-25452P3HIGHCVSS 7.5v10.0.12026-02-22
CVE-2019-25452 [HIGH] CWE-89 CVE-2019-25452: Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted POST requests with malicious SQL payloads in the elemid parameter to extract sensitive database information using error-based or time
nvd
CVE-2018-19994P3HIGHCVSS 8.8v8.0.22019-01-03
CVE-2018-19994 [HIGH] CWE-89 CVE-2018-19994: An error-based SQL injection vulnerability in product/card.php in Dolibarr version 8.0.2 allows remo An error-based SQL injection vulnerability in product/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the desiredstock parameter.
nvd
CVE-2020-7995P3CRITICALCVSS 9.8v10.0.62020-01-26
CVE-2020-7995 [CRITICAL] CWE-307 CVE-2020-7995: The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts.
nvd
CVE-2017-17897P3CRITICALCVSS 9.8v6.0.42017-12-27
CVE-2017-17897 [CRITICAL] CWE-89 CVE-2017-17897: SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote at SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.
nvd
CVE-2025-67486P3HIGHCVSS 7.2≤ 22.0.22026-05-08
CVE-2025-67486 [HIGH] CWE-74 CVE-2025-67486: Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) softwar Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" field is passed to PHP's `eval()` function without adequate saniti
nvd
CVE-2018-19998P3HIGHCVSS 8.8v8.0.22019-01-03
CVE-2018-19998 [HIGH] CWE-89 CVE-2018-19998: SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2 allows remote authenticated u SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the employee parameter.
nvd
CVE-2021-36625P3HIGHCVSS 8.8v13.0.22022-03-31
CVE-2021-36625 [HIGH] CWE-89 CVE-2021-36625: An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POS An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter in an UPDATE statement.
nvd
CVE-2024-37821P3HIGHCVSS 8.8fixed in 19.0.22024-06-18
CVE-2024-37821 [HIGH] CWE-94 CVE-2024-37821: An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19 An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file.
nvd
CVE-2025-56588P3HIGHCVSS 8.8v21.0.12025-10-01
CVE-2025-56588 [HIGH] CWE-94 CVE-2025-56588: Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed field parameter.
nvd
CVE-2023-38887P3HIGHCVSS 8.8≤ 17.0.12023-09-20
CVE-2023-38887 [HIGH] CWE-434 CVE-2023-38887: File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execut File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions.
nvd
Dolibarr Erp Crm vulnerabilities | cvebase