Filtered by vendor Dolibarr
Subscribe
Total
112 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-13828 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter. | |||||
CVE-2020-7995 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts. | |||||
CVE-2020-7994 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) name[constname] parameter to the /htdocs/admin/const.php?mainmenu=home page; the (3) note[note] parameter to the /htdocs/admin/dict.php?id=10 page; the (4) zip[MAIN_INFO_SOCIETE_ZIP] or email[mail] parameter to the /htdocs/admin/company.php page; the (5) url[defaulturl], field[defaultkey], or value[defaultvalue] parameter to the /htdocs/admin/defaultvalues.php page; the (6) key[transkey] or key[transvalue] parameter to the /htdocs/admin/translation.php page; or the (7) [main_motd] or [main_home] parameter to the /htdocs/admin/ihm.php page. | |||||
CVE-2019-16688 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php. A user with no privileges can inject script to attack the admin. (This stored XSS can affect all types of user privilege from Admin to users with no permissions.) | |||||
CVE-2019-17223 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
There is HTML Injection in the Note field in Dolibarr ERP/CRM 10.0.2 via user/note.php. | |||||
CVE-2019-17578 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Sender email for automatic emails (default value in php.ini: Undefined)" field. | |||||
CVE-2019-17576 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the /admin/mails.php?action=edit URI via the "Send all emails to (instead of real recipients, for test purposes)" field. | |||||
CVE-2019-17577 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Email used for error returns emails (fields 'Errors-To' in emails sent)" field. | |||||
CVE-2019-16686 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
Dolibarr 9.0.5 has stored XSS in a User Note section to note.php. A user with no privileges can inject script to attack the admin. | |||||
CVE-2013-2092 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php. | |||||
CVE-2020-7996 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header. | |||||
CVE-2019-19206 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to JavaScript execution in an SVG image for a profile picture. | |||||
CVE-2019-16685 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation. | |||||
CVE-2020-9016 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header. | |||||
CVE-2019-16687 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation. | |||||
CVE-2013-2091 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php. | |||||
CVE-2013-2093 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands. | |||||
CVE-2019-1010016 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing. The component is: htdocs/product/stats/card.php. The attack vector is: Victim must click a specially crafted link sent by the attacker. | |||||
CVE-2019-11200 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
Dolibarr ERP/CRM 9.0.1 provides a web-based functionality that backs up the database content to a dump file. However, the application performs insufficient checks on the export parameters to mysqldump, which can lead to execution of arbitrary binaries on the server. (Malicious binaries can be uploaded by abusing other functionalities of the application.) | |||||
CVE-2019-15062 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 6.0 MEDIUM | 8.0 HIGH |
An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.) |