Vulnerabilities > Dolibarr > Dolibarr > 3.6.0

DATE CVE VULNERABILITY TITLE RISK
2020-03-16 CVE-2019-19212 Cross-site Scripting vulnerability in Dolibarr
Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen).
network
low complexity
dolibarr CWE-79
7.5
7.5
2020-03-16 CVE-2019-19211 Cross-site Scripting vulnerability in Dolibarr
Dolibarr ERP/CRM before 10.0.3 has an Insufficient Filtering issue that can lead to user/card.php XSS.
network
dolibarr CWE-79
4.3
4.3
2020-03-16 CVE-2019-19210 Cross-site Scripting vulnerability in Dolibarr
Dolibarr ERP/CRM before 10.0.3 allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files.
network
dolibarr CWE-79
3.5
3.5
2020-03-16 CVE-2019-19209 SQL Injection vulnerability in Dolibarr
Dolibarr ERP/CRM before 10.0.3 allows SQL Injection.
network
low complexity
dolibarr CWE-89
5.0
5.0
2018-12-26 CVE-2018-19799 Cross-site Scripting vulnerability in Dolibarr
Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexport= XSS.
network
dolibarr CWE-79
4.3
4.3
2018-05-22 CVE-2018-9019 SQL Injection vulnerability in multiple products
SQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy/admin/journals_list.php, /admin/dict.php, /admin/mails_templates.php, or /admin/website.php.
network
low complexity
dolibarr oracle CWE-89
7.5
7.5
2018-05-22 CVE-2018-10095 Cross-site Scripting vulnerability in Dolibarr
Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php.
network
dolibarr CWE-79
4.3
4.3
2018-05-22 CVE-2018-10094 SQL Injection vulnerability in Dolibarr
SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes.
network
low complexity
dolibarr CWE-89
7.5
7.5
2018-05-22 CVE-2018-10092 Missing Authorization vulnerability in Dolibarr
The admin panel in Dolibarr before 7.0.2 might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file uploads.
network
dolibarr CWE-862
6.0
6.0
2017-06-25 CVE-2017-9840 Unrestricted Upload of File with Dangerous Type vulnerability in Dolibarr
Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application.
network
low complexity
dolibarr CWE-434
6.5
6.5