Dolibarr

Dolibarr Erp/crm

77 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2021-33816

Exploit
  • EPSS 2.57%
  • Veröffentlicht 10.11.2021 23:15:08
  • Zuletzt bearbeitet 21.11.2024 06:09:37

The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.

6.1

CVE-2021-33618

Exploit
  • EPSS 0.41%
  • Veröffentlicht 10.11.2021 23:15:07
  • Zuletzt bearbeitet 21.11.2024 06:09:12

Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of a BODY element to the user-management feature.

7.2

CVE-2021-25956

  • EPSS 0.37%
  • Veröffentlicht 17.08.2021 15:15:07
  • Zuletzt bearbeitet 21.11.2024 05:55:40

In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account t...

9

CVE-2020-35136

Exploit
  • EPSS 6.99%
  • Veröffentlicht 23.12.2020 15:15:16
  • Zuletzt bearbeitet 21.11.2024 05:26:50

Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools...

5.4

CVE-2020-13828

  • EPSS 0.13%
  • Veröffentlicht 31.08.2020 16:15:14
  • Zuletzt bearbeitet 21.11.2024 05:01:57

Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address p...

6.1

CVE-2020-14475

  • EPSS 0.26%
  • Veröffentlicht 19.06.2020 17:15:14
  • Zuletzt bearbeitet 21.11.2024 05:03:21

A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3 allows remote attackers to inject arbitrary web script or HTML into public/notice.php (related to transphrase and transkey).

5.5

CVE-2020-13240

Exploit
  • EPSS 0.17%
  • Veröffentlicht 20.05.2020 15:15:11
  • Zuletzt bearbeitet 21.11.2024 05:00:51

The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.

5.4

CVE-2020-13239

Exploit
  • EPSS 0.23%
  • Veröffentlicht 20.05.2020 15:15:11
  • Zuletzt bearbeitet 21.11.2024 05:00:51

The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS.

8.8

CVE-2020-11825

Exploit
  • EPSS 0.2%
  • Veröffentlicht 16.04.2020 19:15:27
  • Zuletzt bearbeitet 21.11.2024 04:58:42

In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation.

5.4

CVE-2020-11823

Exploit
  • EPSS 0.31%
  • Veröffentlicht 16.04.2020 19:15:27
  • Zuletzt bearbeitet 21.11.2024 04:58:42

In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to stealing of the admin account.