RSS   Vulnerabilities for 'Dolibarr'   RSS

2020-06-19
 
CVE-2020-14475

CWE-79
 

 
A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3 allows remote attackers to inject arbitrary web script or HTML into public/notice.php (related to transphrase and transkey).

 
2020-06-18
 
CVE-2020-14443

CWE-89
 

 
A SQL injection vulnerability in accountancy/customer/card.php in Dolibarr 11.0.3 allows remote authenticated users to execute arbitrary SQL commands via the id parameter.

 
2020-05-20
 
CVE-2020-13240

CWE-276
 

 
The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.

 
 
CVE-2020-13239

CWE-79
 

 
The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS.

 
2020-05-18
 
CVE-2020-13094

CWE-79
 

 
Dolibarr before 11.0.4 allows XSS.

 
2020-05-06
 
CVE-2020-12669

CWE-863
 

 
core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter.

 
2020-04-16
 
CVE-2020-11825

CWE-352
 

 
In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation.

 
 
CVE-2020-11823

CWE-79
 

 
In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to stealing of the admin account.

 
2020-03-16
 
CVE-2019-19212

CWE-89
 

 
Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen).

 
 
CVE-2019-19211

CWE-79
 

 
Dolibarr ERP/CRM before 10.0.3 has an Insufficient Filtering issue that can lead to user/card.php XSS.

 


Copyright 2020, cxsecurity.com

 

Back to Top