cbcvebase.

Dolibarr Erp Crm vulnerabilities

107 known vulnerabilities affecting dolibarr/dolibarr_erp_crm.

Total CVEs
107
CISA KEV
0
Public exploits
10
Exploited in wild
0
Severity breakdown
CRITICAL25HIGH32MEDIUM50

Vulnerabilities

Page 5 of 6
CVE-2019-19206P4MEDIUMCVSS 5.4v10.0.32019-11-26
CVE-2019-19206 [MEDIUM] CWE-79 CVE-2019-19206: Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to JavaScript execution in an SVG Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to JavaScript execution in an SVG image for a profile picture.
nvd
CVE-2022-2060P4MEDIUMCVSS 5.4fixed in 16.0.02022-06-13
CVE-2022-2060 [MEDIUM] CWE-79 CVE-2022-2060: Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0. Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.
nvd
CVE-2019-16685P4MEDIUMCVSS 5.4v9.0.52019-09-27
CVE-2019-16685 [MEDIUM] CWE-79 CVE-2019-16685: Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php. A user Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.
nvd
CVE-2020-13239P4MEDIUMCVSS 5.4v11.0.42020-05-20
CVE-2020-13239 [MEDIUM] CWE-79 CVE-2020-13239: The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the atta The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS.
nvd
CVE-2020-11823P4MEDIUMCVSS 5.4v10.0.62020-04-16
CVE-2020-11823 [MEDIUM] CWE-79 CVE-2020-11823: In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to stealing of the admin account.
nvd
CVE-2020-7994P4MEDIUMCVSS 6.1v10.0.62020-01-26
CVE-2020-7994 [MEDIUM] CWE-79 CVE-2020-7994: Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inj Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) name[constname] parameter to the /htdocs/admin/const.php?mainmenu=home page; the (3) note[note] parameter to the /htdocs/admin/dict.php
nvd
CVE-2018-19993P4MEDIUMCVSS 6.1v8.0.22019-01-03
CVE-2018-19993 [MEDIUM] CWE-79 CVE-2018-19993: A reflected cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote attackers to in A reflected cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote attackers to inject arbitrary web script or HTML via the transphrase parameter to public/notice.php.
nvd
CVE-2017-17971P4MEDIUMCVSS 6.1v6.0.42017-12-29
CVE-2017-17971 [MEDIUM] CWE-79 CVE-2017-17971: The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS.
nvd
CVE-2017-7887P4MEDIUMCVSS 6.1v4.0.42017-05-10
CVE-2017-7887 [MEDIUM] CWE-79 CVE-2017-7887: Dolibarr ERP/CRM 4.0.4 has XSS in doli/societe/list.php via the sall parameter. Dolibarr ERP/CRM 4.0.4 has XSS in doli/societe/list.php via the sall parameter.
nvd
CVE-2020-14475P4MEDIUMCVSS 6.1v11.0.32020-06-19
CVE-2020-14475 [MEDIUM] CWE-79 CVE-2020-14475: A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3 allows remote attackers to i A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3 allows remote attackers to inject arbitrary web script or HTML into public/notice.php (related to transphrase and transkey).
nvd
CVE-2020-9016P4MEDIUMCVSS 5.4v11.0.02020-02-16
CVE-2020-9016 [MEDIUM] CWE-79 CVE-2020-9016: Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header. Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.
nvd
CVE-2020-13828P4MEDIUMCVSS 5.4v11.0.42020-08-31
CVE-2020-13828 [MEDIUM] CWE-79 CVE-2020-13828: Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or
nvd
CVE-2019-17578P4MEDIUMCVSS 5.4v10.0.22019-10-16
CVE-2019-17578 [MEDIUM] CWE-79 CVE-2019-17578: An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Sender email for automatic emails (default value in php.ini: Undefined)" field.
nvd
CVE-2019-17576P4MEDIUMCVSS 5.4v10.0.22019-10-16
CVE-2019-17576 [MEDIUM] CWE-79 CVE-2019-17576: An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the /admin/mails.php?action=edit URI via the "Send all emails to (instead of real recipients, for test purposes)" field.
nvd
CVE-2019-16686P4MEDIUMCVSS 5.4v9.0.52019-09-27
CVE-2019-16686 [MEDIUM] CWE-79 CVE-2019-16686: Dolibarr 9.0.5 has stored XSS in a User Note section to note.php. A user with no privileges can inje Dolibarr 9.0.5 has stored XSS in a User Note section to note.php. A user with no privileges can inject script to attack the admin.
nvd
CVE-2017-18259P4MEDIUMCVSS 5.4≤ 7.0.02018-04-11
CVE-2017-18259 [MEDIUM] CWE-79 CVE-2017-18259: Dolibarr ERP/CRM is affected by stored Cross-Site Scripting (XSS) in versions through 7.0.0. Dolibarr ERP/CRM is affected by stored Cross-Site Scripting (XSS) in versions through 7.0.0.
nvd
CVE-2018-19995P4MEDIUMCVSS 5.4v8.0.22019-01-03
CVE-2018-19995 [MEDIUM] CWE-79 CVE-2018-19995: A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated user A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to user/card.php.
nvd
CVE-2018-19992P4MEDIUMCVSS 5.4v8.0.22019-01-03
CVE-2018-19992 [MEDIUM] CWE-79 CVE-2018-19992: A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated user A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to adherents/type.php.
nvd
CVE-2019-17577P4MEDIUMCVSS 5.4v10.0.22019-10-16
CVE-2019-17577 [MEDIUM] CWE-79 CVE-2019-17577: An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Email used for error returns emails (fields 'Errors-To' in emails sent)" field.
nvd
CVE-2017-9838P4MEDIUMCVSS 5.4fixed in 5.0.42018-04-11
CVE-2017-9838 [MEDIUM] CWE-79 CVE-2017-9838: Dolibarr ERP/CRM is affected by multiple reflected Cross-Site Scripting (XSS) vulnerabilities in ver Dolibarr ERP/CRM is affected by multiple reflected Cross-Site Scripting (XSS) vulnerabilities in versions before 5.0.4: index.php (leftmenu parameter), core/ajax/box.php (PATH_INFO), product/stats/card.php (type parameter), holiday/list.php (month_create, month_start, and month_end parameters), and don/card.php (societe, lastname, firstname, address, z
nvd
Dolibarr Erp Crm vulnerabilities | cvebase