Vulnerabilities > Dolibarr > Dolibarr ERP CRM

DATE CVE VULNERABILITY TITLE RISK
2021-11-10 CVE-2021-33618 Cross-site Scripting vulnerability in Dolibarr Erp/Crm 13.0.2
Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of a BODY element to the user-management feature.
network
low complexity
dolibarr CWE-79
6.1
6.1
2021-11-10 CVE-2021-33816 Code Injection vulnerability in Dolibarr Erp/Crm 13.0.2
The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.
network
low complexity
dolibarr CWE-94
critical
 9.8
9.8
2021-08-17 CVE-2021-25956 Unspecified vulnerability in Dolibarr
In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”.
network
low complexity
dolibarr
7.2
7.2
2020-12-23 CVE-2020-35136 Argument Injection or Modification vulnerability in Dolibarr Erp/Crm 12.0.3
Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution.
network
low complexity
dolibarr CWE-88
7.2
7.2
2020-08-31 CVE-2020-13828 Cross-site Scripting vulnerability in Dolibarr Erp/Crm 11.0.4
Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter.
network
low complexity
dolibarr CWE-79
5.4
5.4
2020-06-19 CVE-2020-14475 Cross-site Scripting vulnerability in Dolibarr Erp/Crm 11.0.3
A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3 allows remote attackers to inject arbitrary web script or HTML into public/notice.php (related to transphrase and transkey).
network
low complexity
dolibarr CWE-79
6.1
6.1
2020-05-20 CVE-2020-13240 Incorrect Default Permissions vulnerability in Dolibarr Erp/Crm 11.0.4
The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions.
network
low complexity
dolibarr CWE-276
5.4
5.4
2020-05-20 CVE-2020-13239 Cross-site Scripting vulnerability in Dolibarr Erp/Crm 11.0.4
The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link.
network
low complexity
dolibarr CWE-79
5.4
5.4
2020-04-16 CVE-2020-11825 Cross-Site Request Forgery (CSRF) vulnerability in Dolibarr Erp/Crm 10.0.6
In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks.
network
low complexity
dolibarr CWE-352
8.8
8.8
2020-04-16 CVE-2020-11823 Cross-site Scripting vulnerability in Dolibarr Erp/Crm 10.0.6
In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page.
network
low complexity
dolibarr CWE-79
5.4
5.4