cbcvebase.

Dolibarr Erp Crm vulnerabilities

107 known vulnerabilities affecting dolibarr/dolibarr_erp_crm.

Total CVEs
107
CISA KEV
0
Public exploits
10
Exploited in wild
0
Severity breakdown
CRITICAL25HIGH32MEDIUM50

Vulnerabilities

Page 4 of 6
CVE-2024-55228P3CRITICALCVSS 9.0v21.0.02025-01-27
CVE-2024-55228 [CRITICAL] CWE-79 CVE-2024-55228: A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows att A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.
nvd
CVE-2023-4198P3MEDIUMCVSS 6.5≤ 17.0.32023-11-01
CVE-2023-4198 [MEDIUM] CWE-862 CVE-2023-4198: Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data
nvd
CVE-2019-15062P3HIGHCVSS 8.0v11.0.02019-08-14
CVE-2019-15062 [HIGH] CWE-352 CVE-2019-15062: An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a u An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the
nvd
CVE-2024-31503P4HIGHCVSS 7.5fixed in 19.0.12024-04-17
CVE-2024-31503 [HIGH] CWE-352 CVE-2024-31503: Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attack Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover.
nvd
CVE-2020-11825P4HIGHCVSS 8.8v10.0.62020-04-16
CVE-2020-11825 [HIGH] CWE-352 CVE-2020-11825: In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any C In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation.
nvd
CVE-2022-0731P4MEDIUMCVSS 6.5fixed in 16.0.02022-02-23
CVE-2022-0731 [MEDIUM] CWE-284 CVE-2022-0731: Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0. Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.
nvd
CVE-2021-47779P4MEDIUMCVSS 5.4v14.0.22026-01-16
CVE-2021-47779 [MEDIUM] CWE-79 CVE-2021-47779: Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the text, potentially enabling privilege escalation.
nvd
CVE-2017-8879P4MEDIUMCVSS 6.8v4.0.42017-05-10
CVE-2017-8879 [MEDIUM] CWE-287 CVE-2017-8879: Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes i Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes it easier for physically proximate attackers to obtain access via an unattended workstation.
nvd
CVE-2024-23817P4MEDIUMCVSS 6.1v18.0.42024-01-25
CVE-2024-23817 [MEDIUM] CWE-79 CVE-2024-23817: Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) softwar Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifical
nvd
CVE-2020-13240P4MEDIUMCVSS 5.4v11.0.42020-05-20
CVE-2020-13240 [MEDIUM] CWE-276 CVE-2020-13240: The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.
nvd
CVE-2022-30875P4MEDIUMCVSS 6.1v12.0.52022-06-08
CVE-2022-30875 [MEDIUM] CWE-79 CVE-2022-30875: Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS) via Sql Error Page. Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS) via Sql Error Page.
nvd
CVE-2019-11199P4MEDIUMCVSS 5.4v9.0.12019-07-29
CVE-2019-11199 [MEDIUM] CWE-79 CVE-2019-11199: Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. These vulnerabilities allow Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. These vulnerabilities allowed the execution of a JavaScript payload each time any regular user or administrative user clicked on the malicious link hosted on the same domain. The vulnerabilities could be exploited by low privileged users to target administrators. The viewimage.p
nvd
CVE-2019-16687P4MEDIUMCVSS 5.4v9.0.52019-09-27
CVE-2019-16687 [MEDIUM] CWE-79 CVE-2019-16687: Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php. A user with the Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.
nvd
CVE-2019-16688P4MEDIUMCVSS 5.4v9.0.52019-09-27
CVE-2019-16688 [MEDIUM] CWE-79 CVE-2019-16688: Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php. A user with no pr Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php. A user with no privileges can inject script to attack the admin. (This stored XSS can affect all types of user privilege from Admin to users with no permissions.)
nvd
CVE-2022-22293P4MEDIUMCVSS 5.4v7.0.22022-01-02
CVE-2022-22293 [MEDIUM] CWE-79 CVE-2022-22293: admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_T admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter.
nvd
CVE-2013-2092P4MEDIUMCVSS 6.1v3.3.12019-11-20
CVE-2013-2092 [MEDIUM] CWE-79 CVE-2013-2092: Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
nvd
CVE-2020-7996P4MEDIUMCVSS 6.1v10.0.62020-01-26
CVE-2020-7996 [MEDIUM] CWE-79 CVE-2020-7996: htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header. htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header.
nvd
CVE-2019-17223P4MEDIUMCVSS 6.1v10.0.22019-10-15
CVE-2019-17223 [MEDIUM] CWE-79 CVE-2019-17223: There is HTML Injection in the Note field in Dolibarr ERP/CRM 10.0.2 via user/note.php. There is HTML Injection in the Note field in Dolibarr ERP/CRM 10.0.2 via user/note.php.
nvd
CVE-2019-1010016P4MEDIUMCVSS 6.1v6.0.42019-07-15
CVE-2019-1010016 [MEDIUM] CWE-79 CVE-2019-1010016: Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing. The compo Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing. The component is: htdocs/product/stats/card.php. The attack vector is: Victim must click a specially crafted link sent by the attacker.
nvd
CVE-2023-5323P4MEDIUMCVSS 6.1fixed in 18.02023-10-01
CVE-2023-5323 [MEDIUM] CWE-79 CVE-2023-5323: Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0. Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0.
nvd
Dolibarr Erp Crm vulnerabilities | cvebase