Dolibarr Erp Crm vulnerabilities

CVE-2017-18260 [HIGH] CWE-89 CVE-2017-18260: Dolibarr ERP/CRM is affected by multiple SQL injection vulnerabilities in versions through 7.0.0 via Dolibarr ERP/CRM is affected by multiple SQL injection vulnerabilities in versions through 7.0.0 via comm/propal/list.php (viewstatut parameter) or comm/propal/list.php (propal_statut parameter, aka search_statut parameter).

CVE-2017-9839 [HIGH] CWE-89 CVE-2017-9839: Dolibarr ERP/CRM is affected by SQL injection in versions before 5.0.4 via product/stats/card.php (t Dolibarr ERP/CRM is affected by SQL injection in versions before 5.0.4 via product/stats/card.php (type parameter).

CVE-2017-18259 [MEDIUM] CWE-79 CVE-2017-18259: Dolibarr ERP/CRM is affected by stored Cross-Site Scripting (XSS) in versions through 7.0.0. Dolibarr ERP/CRM is affected by stored Cross-Site Scripting (XSS) in versions through 7.0.0.

CVE-2017-9838 [MEDIUM] CWE-79 CVE-2017-9838: Dolibarr ERP/CRM is affected by multiple reflected Cross-Site Scripting (XSS) vulnerabilities in ver Dolibarr ERP/CRM is affected by multiple reflected Cross-Site Scripting (XSS) vulnerabilities in versions before 5.0.4: index.php (leftmenu parameter), core/ajax/box.php (PATH_INFO), product/stats/card.php (type parameter), holiday/list.php (month_create, month_start, and month_end parameters), and don/card.php (societe, lastname, firstname, address, z

CVE-2017-1000509 [MEDIUM] CWE-79 CVE-2017-1000509: Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) vulnerability in Product details that c Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) vulnerability in Product details that can result in execution of javascript code.

CVE-2017-17971 [MEDIUM] CWE-79 CVE-2017-17971: The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS.

CVE-2017-17900 [CRITICAL] CWE-89 CVE-2017-17900: SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attac SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the socid parameter.

CVE-2017-17897 [CRITICAL] CWE-89 CVE-2017-17897: SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote at SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVE-2017-17899 [CRITICAL] CWE-89 CVE-2017-17899: SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 all SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter.

CVE-2017-17898 [HIGH] CWE-200 CVE-2017-17898: Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remot Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remote attackers to obtain sensitive information.

CVE-2017-7888 [CRITICAL] CWE-326 CVE-2017-7888: Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easi Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier.

CVE-2017-7886 [CRITICAL] CWE-89 CVE-2017-7886: Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css.php via the lang parameter. Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css.php via the lang parameter.

CVE-2017-7887 [MEDIUM] CWE-79 CVE-2017-7887: Dolibarr ERP/CRM 4.0.4 has XSS in doli/societe/list.php via the sall parameter. Dolibarr ERP/CRM 4.0.4 has XSS in doli/societe/list.php via the sall parameter.

CVE-2017-8879 [MEDIUM] CWE-287 CVE-2017-8879: Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes i Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes it easier for physically proximate attackers to obtain access via an unattended workstation.

CVE-2014-3991 [MEDIUM] CWE-79 CVE-2014-3991: Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu, or (7) leftmenu parameter to index.php; the (8) dol_use_jmobile, (9) dol

CVE-2014-3992 [MEDIUM] CWE-89 CVE-2014-3992: Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote authenticated users to Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote authenticated users to execute arbitrary SQL commands via the (1) entity parameter in an update action to user/fiche.php or (2) sortorder parameter to user/group/index.php.

CVE-2012-1225 [HIGH] CWE-89 CVE-2012-1225: Multiple SQL injection vulnerabilities in Dolibarr CMS 3.2.0 Alpha and earlier allow remote authenti Multiple SQL injection vulnerabilities in Dolibarr CMS 3.2.0 Alpha and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) memberslist parameter (aka Member List) in list.php or (2) rowid parameter to adherents/fiche.php.

CVE-2012-1226 [HIGH] CWE-22 CVE-2012-1226: Multiple directory traversal vulnerabilities in Dolibarr CMS 3.2.0 Alpha allow remote attackers to r Multiple directory traversal vulnerabilities in Dolibarr CMS 3.2.0 Alpha allow remote attackers to read arbitrary files and possibly execute arbitrary code via a .. (dot dot) in the (1) file parameter to document.php or (2) backtopage parameter in a create action to comm/action/fiche.php.

CVE-2011-4814 [MEDIUM] CWE-79 CVE-2011-4814: Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) admin/boxes.php, (3) comm/clients.php, (4) commande/index.php; and the optioncss parameter to (5) admin/ihm.php and (6) user/home.php.

CVE-2011-4802 [MEDIUM] CWE-89 CVE-2011-4802: Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote authen Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) sortfield, (2) sortorder, and (3) sall parameters to user/index.php and (b) user/group/index.php; the id parameter to (4) info.php, (5) perms.php, (6) param_ihm.php, (7) note.php, and (8) fiche.