Filtered by vendor Dolibarr
Subscribe
Total
112 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11199 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. These vulnerabilities allowed the execution of a JavaScript payload each time any regular user or administrative user clicked on the malicious link hosted on the same domain. The vulnerabilities could be exploited by low privileged users to target administrators. The viewimage.php page did not perform any contextual output encoding and would display the content within the uploaded file with a user-requested MIME type. | |||||
| CVE-2018-16808 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Dolibarr through 7.0.0. There is Stored XSS in expensereport/card.php in the expense reports plugin via the comments parameter, or a public or private note. | |||||
| CVE-2019-1010054 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access malitious urls. | |||||
| CVE-2019-16197 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In htdocs/societe/card.php in Dolibarr 10.0.1, the value of the User-Agent HTTP header is copied into the HTML document as plain text between tags, leading to XSS. | |||||
| CVE-2019-11201 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-02-04 | 8.5 HIGH | 8.0 HIGH |
| Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content. Thus, a lower privileged user of the application can execute code under the context and permissions of the underlying web server. | |||||
| CVE-2018-16809 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Dolibarr through 7.0.0. expensereport/card.php in the expense reports module allows SQL injection via the integer parameters qty and value_unit. | |||||
| CVE-2018-19994 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| An error-based SQL injection vulnerability in product/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the desiredstock parameter. | |||||
| CVE-2018-19998 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the employee parameter. | |||||
| CVE-2018-19995 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to user/card.php. | |||||
| CVE-2018-19799 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexport= XSS. | |||||
| CVE-2018-19993 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote attackers to inject arbitrary web script or HTML via the transphrase parameter to public/notice.php. | |||||
| CVE-2018-19992 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to adherents/type.php. | |||||
| CVE-2017-1000509 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) vulnerability in Product details that can result in execution of javascript code. | |||||
| CVE-2018-13449 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut_buy parameter. | |||||
| CVE-2018-10092 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 6.0 MEDIUM | 8.0 HIGH |
| The admin panel in Dolibarr before 7.0.2 might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file uploads. | |||||
| CVE-2018-13447 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut parameter. | |||||
| CVE-2018-10094 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes. | |||||
| CVE-2017-18259 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr ERP/CRM is affected by stored Cross-Site Scripting (XSS) in versions through 7.0.0. | |||||
| CVE-2018-10095 | 1 Dolibarr | 1 Dolibarr | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php. | |||||
| CVE-2018-9019 | 2 Dolibarr, Oracle | 2 Dolibarr, Data Integrator | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy/admin/journals_list.php, /admin/dict.php, /admin/mails_templates.php, or /admin/website.php. | |||||