Vulnerabilities > Dolibarr > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-04-11 | CVE-2017-9839 | SQL Injection vulnerability in Dolibarr Erp/Crm Dolibarr ERP/CRM is affected by SQL injection in versions before 5.0.4 via product/stats/card.php (type parameter). | 6.5 |
| 2018-04-11 | CVE-2017-18260 | SQL Injection vulnerability in Dolibarr Erp/Crm Dolibarr ERP/CRM is affected by multiple SQL injection vulnerabilities in versions through 7.0.0 via comm/propal/list.php (viewstatut parameter) or comm/propal/list.php (propal_statut parameter, aka search_statut parameter). | 6.5 |
| 2018-02-09 | CVE-2017-1000509 | Cross-site Scripting vulnerability in Dolibarr Erp/Crm 6.0.2 Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) vulnerability in Product details that can result in execution of javascript code. | 5.4 |
| 2017-12-29 | CVE-2017-17971 | Cross-site Scripting vulnerability in Dolibarr Erp/Crm 6.0.4 The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS. | 6.1 |
| 2017-09-11 | CVE-2017-14240 | Information Exposure vulnerability in Dolibarr 6.0.0 There is a sensitive information disclosure vulnerability in document.php in Dolibarr ERP/CRM version 6.0.0 via the file parameter. | 5.0 |
| 2017-06-25 | CVE-2017-9840 | Unrestricted Upload of File with Dangerous Type vulnerability in Dolibarr Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application. | 6.5 |
| 2017-05-10 | CVE-2017-8879 | Improper Authentication vulnerability in Dolibarr Erp/Crm 4.0.4 Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes it easier for physically proximate attackers to obtain access via an unattended workstation. | 6.8 |
| 2017-05-10 | CVE-2017-7887 | Cross-site Scripting vulnerability in Dolibarr Erp/Crm 4.0.4 Dolibarr ERP/CRM 4.0.4 has XSS in doli/societe/list.php via the sall parameter. | 6.1 |
| 2016-01-15 | CVE-2015-8685 | Cross-site Scripting vulnerability in Dolibarr Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) external calendar url or (2) the bank name field in the "import external calendar" page. | 4.3 |
| 2015-06-10 | CVE-2015-3935 | Cross-site Scripting vulnerability in Dolibarr 3.5.0/3.6.0 Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5 and 3.6 allow remote attackers to inject arbitrary web script or HTML via the Business Search (search_nom) field to (1) htdocs/societe/societe.php or (2) htdocs/societe/admin/societe.php. | 4.3 |