cbcvebase.

Dolibarr Erp Crm vulnerabilities

107 known vulnerabilities affecting dolibarr/dolibarr_erp_crm.

Total CVEs
107
CISA KEV
0
Public exploits
10
Exploited in wild
0
Severity breakdown
CRITICAL25HIGH32MEDIUM50

Vulnerabilities

Page 3 of 6
CVE-2024-29477P3HIGHCVSS 8.8fixed in 19.0.12024-04-03
CVE-2024-29477 [HIGH] CWE-94 CVE-2024-29477: Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the network to execute arbitrary code via a specifically crafted input.
nvd
CVE-2019-11200P3HIGHCVSS 8.8v9.0.12019-07-29
CVE-2019-11200 [HIGH] CVE-2019-11200: Dolibarr ERP/CRM 9.0.1 provides a web-based functionality that backs up the database content to a du Dolibarr ERP/CRM 9.0.1 provides a web-based functionality that backs up the database content to a dump file. However, the application performs insufficient checks on the export parameters to mysqldump, which can lead to execution of arbitrary binaries on the server. (Malicious binaries can be uploaded by abusing other functionalities of the application.)
nvd
CVE-2017-7886P3CRITICALCVSS 9.8v4.0.42017-05-10
CVE-2017-7886 [CRITICAL] CWE-89 CVE-2017-7886: Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css.php via the lang parameter. Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css.php via the lang parameter.
nvd
CVE-2026-31018P3HIGHCVSS 8.8≤ 22.0.42026-04-21
CVE-2026-31018 [HIGH] CWE-94 CVE-2026-31018: In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Websit In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation.
nvd
CVE-2022-43138P3CRITICALCVSS 9.8fixed in 14.0.12022-11-17
CVE-2022-43138 [CRITICAL] CWE-269 CVE-2022-43138: Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges v Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API.
nvd
CVE-2019-25450P3HIGHCVSS 7.5v10.0.12026-02-22
CVE-2019-25450 [HIGH] CWE-89 CVE-2019-25450: Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated att Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database informat
nvd
CVE-2020-35136P3HIGHCVSS 7.2v12.0.32020-12-23
CVE-2020-35136 [HIGH] CWE-88 CVE-2020-35136: Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php.
nvd
CVE-2017-18260P3HIGHCVSS 8.8≤ 7.0.02018-04-11
CVE-2017-18260 [HIGH] CWE-89 CVE-2017-18260: Dolibarr ERP/CRM is affected by multiple SQL injection vulnerabilities in versions through 7.0.0 via Dolibarr ERP/CRM is affected by multiple SQL injection vulnerabilities in versions through 7.0.0 via comm/propal/list.php (viewstatut parameter) or comm/propal/list.php (propal_statut parameter, aka search_statut parameter).
nvd
CVE-2017-9839P3HIGHCVSS 8.8fixed in 5.0.42018-04-11
CVE-2017-9839 [HIGH] CWE-89 CVE-2017-9839: Dolibarr ERP/CRM is affected by SQL injection in versions before 5.0.4 via product/stats/card.php (t Dolibarr ERP/CRM is affected by SQL injection in versions before 5.0.4 via product/stats/card.php (type parameter).
nvd
CVE-2019-1010054P3HIGHCVSS 8.8v7.0.02019-07-18
CVE-2019-1010054 [HIGH] CWE-352 CVE-2019-1010054: Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious htm Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access malitious urls.
nvd
CVE-2019-11201P3HIGHCVSS 8.0v9.0.12019-07-29
CVE-2019-11201 [HIGH] CWE-94 CVE-2019-11201: Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content.
nvd
CVE-2011-4814P4MEDIUMCVSS 4.3PoC≤ 3.1.0v2.5.0+9 more2011-12-14
CVE-2011-4814 [MEDIUM] CWE-79 CVE-2011-4814: Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) admin/boxes.php, (3) comm/clients.php, (4) commande/index.php; and the optioncss parameter to (5) admin/ihm.php and (6) user/home.php.
nvd
CVE-2026-34036P3MEDIUMCVSS 6.5≤ 22.0.42026-03-31
CVE-2026-34036 [MEDIUM] CWE-98 CVE-2026-34036: Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) softwar Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access contro
nvd
CVE-2014-3991P4MEDIUMCVSS 4.3PoCv3.5.32014-07-11
CVE-2014-3991 [MEDIUM] CWE-79 CVE-2014-3991: Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu, or (7) leftmenu parameter to index.php; the (8) dol_use_jmobile, (9) dol
nvd
CVE-2023-38888P3CRITICALCVSS 9.6≤ 17.0.12023-09-20
CVE-2023-38888 [CRITICAL] CWE-79 CVE-2023-38888: Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.
nvd
CVE-2021-25956P3HIGHCVSS 7.2v3.3.02021-08-17
CVE-2021-25956 [HIGH] CWE-284 CVE-2021-25956: In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having
nvd
CVE-2017-17898P3HIGHCVSS 7.5v6.0.42017-12-27
CVE-2017-17898 [HIGH] CWE-200 CVE-2017-17898: Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remot Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remote attackers to obtain sensitive information.
nvd
CVE-2017-7888P3CRITICALCVSS 9.8v4.0.42017-05-10
CVE-2017-7888 [CRITICAL] CWE-326 CVE-2017-7888: Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easi Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier.
nvd
CVE-2024-55227P3CRITICALCVSS 9.0v21.0.02025-01-27
CVE-2024-55227 [CRITICAL] CWE-79 CVE-2024-55227: A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allo A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.
nvd
CVE-2021-37517P3HIGHCVSS 7.5v13.0.22022-03-31
CVE-2021-37517 [HIGH] CWE-863 CVE-2021-37517: An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the fo An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application allows email addresses as usernames, which can cause a Denial of Service.
nvd