) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): cpe:2.3:a:dolibarr:dolibarr_erp\/crm:3.1.0:*:*:*:*:*:*:*
- CPE Name Search: true
| Vuln ID | Summary | CVSS Severity |
|---|---|---|
| CVE-2023-4198 |
Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data Published: November 01, 2023; 5:15:09 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
| CVE-2023-4197 |
Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code. Published: November 01, 2023; 4:15:07 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
| CVE-2023-5842 |
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5. Published: October 29, 2023; 9:15:22 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
| CVE-2023-5323 |
Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0. Published: September 30, 2023; 9:15:24 PM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
| CVE-2023-38888 |
Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject. Published: September 19, 2023; 9:15:56 PM -0400 |
V3.1: 9.6 CRITICAL V2.0:(not available) |
| CVE-2023-38887 |
File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions. Published: September 19, 2023; 9:15:56 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
| CVE-2023-38886 |
An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script. Published: September 19, 2023; 9:15:56 PM -0400 |
V3.1: 7.2 HIGH V2.0:(not available) |
| CVE-2023-30253 |
Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data. Published: May 29, 2023; 5:15:09 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
| CVE-2022-43138 |
Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API. Published: November 17, 2022; 12:15:13 PM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
| CVE-2022-40871 |
Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval. Published: October 12, 2022; 8:15:09 AM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
| CVE-2022-2060 |
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0. Published: June 13, 2022; 5:15:10 AM -0400 |
V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
| CVE-2022-0819 |
Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1. Published: March 02, 2022; 11:15:07 AM -0500 |
V3.1: 8.8 HIGH V2.0: 6.5 MEDIUM |
| CVE-2022-0746 |
Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0. Published: February 25, 2022; 4:15:06 AM -0500 |
V3.1: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
| CVE-2022-0731 |
Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0. Published: February 23, 2022; 2:15:08 PM -0500 |
V3.1: 6.5 MEDIUM V2.0: 4.0 MEDIUM |
| CVE-2022-0414 |
Improper Validation of Specified Quantity in Input in Packagist dolibarr/dolibarr prior to 16.0. Published: January 31, 2022; 6:15:07 AM -0500 |
V3.1: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
| CVE-2022-0224 |
dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command Published: January 14, 2022; 1:15:10 PM -0500 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
| CVE-2022-0174 |
Improper Validation of Specified Quantity in Input vulnerability in dolibarr dolibarr/dolibarr. Published: January 10, 2022; 1:15:08 PM -0500 |
V3.1: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
| CVE-2017-9839 |
Dolibarr ERP/CRM is affected by SQL injection in versions before 5.0.4 via product/stats/card.php (type parameter). Published: April 10, 2018; 11:29:00 PM -0400 |
V3.0: 8.8 HIGH V2.0: 6.5 MEDIUM |
| CVE-2017-9838 |
Dolibarr ERP/CRM is affected by multiple reflected Cross-Site Scripting (XSS) vulnerabilities in versions before 5.0.4: index.php (leftmenu parameter), core/ajax/box.php (PATH_INFO), product/stats/card.php (type parameter), holiday/list.php (month_create, month_start, and month_end parameters), and don/card.php (societe, lastname, firstname, address, zipcode, town, and email parameters). Published: April 10, 2018; 11:29:00 PM -0400 |
V3.0: 5.4 MEDIUM V2.0: 3.5 LOW |
| CVE-2017-18260 |
Dolibarr ERP/CRM is affected by multiple SQL injection vulnerabilities in versions through 7.0.0 via comm/propal/list.php (viewstatut parameter) or comm/propal/list.php (propal_statut parameter, aka search_statut parameter). Published: April 10, 2018; 11:29:00 PM -0400 |
V3.0: 8.8 HIGH V2.0: 6.5 MEDIUM |