Advisories for Composer/Dolibarr/Dolibarr package

2024

Dolibarr vulnerable to SQL Injection

Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters sortorder y sortfield in /dolibarr/admin/dict.php.

Dolibarr vulnerable to SQL Injection

Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters in /dolibarr/commande/list.php.

Dolibarr Application Home Page has HTML injection vulnerability

Observed a HTML Injection vulnerbaility in the Home page of Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr App Home page HTML code. This behavior can be exploited …

2023
2022

SQL injection in Dolibarr

SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period. …

Improper Control of Generation of Code ('Code Injection')

Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content. Thus, a lower privileged user of the application can execute code …

Dolibarr ERP and CRM malicious executable loading

Dolibarr ERP/CRM 9.0.1 provides a web-based functionality that backs up the database content to a dump file. However, the application performs insufficient checks on the export parameters to mysqldump, which can lead to execution of arbitrary binaries on the server. (Malicious binaries can be uploaded by abusing other functionalities of the application.)

Access Control vulnerability

An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function because the application allows email addresses as usernames, which can cause a Denial of Service.

2021

Improper Authentication

Admin level users can change other user's details but fails to validate already existing Login name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.

Cross-site Scripting

In the editor module of the Dolibarr editor scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a …

Incorrect Authorization

Dolibarr applications do not restrict, or incorrectly restricts, access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator should have rights to do, the affected field is in the /adherents/note.php?id=1 endpoint.

2020

Command Injection

Dolibarr is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php.

Unrestricted Upload of File with Dangerous Type

Dolibarr allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, an .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism).

Cross-site Scripting

Dolibarr is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter.

SQL Injection

An SQL injection vulnerability in accountancy/customer/card.php in Dolibarr allows remote authenticated users to execute arbitrary SQL commands via the id parameter.

Cross-site Scripting

The DMS/ECM module in Dolibarr renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. Rendering these files directly, may lead to XSS.

Cross-site Scripting

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) name[constname] parameter to the /htdocs/admin/const.php?mainmenu=home page; the (3) note[note] parameter to the /htdocs/admin/dict.php?id=10 page; the (4) zip[MAIN_INFO_SOCIETE_ZIP] or email[mail] parameter to the /htdocs/admin/company.php page; the (5) url[defaulturl], field[defaultkey], or value[defaultvalue] parameter to the /htdocs/admin/defaultvalues.php page; the (6) key[transkey] or key[transvalue] parameter to …

2019

Cross-site Scripting

An issue was discovered in Dolibarr. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Email used for error returns emails (fields Errors-To in emails sent)" field.

Cross-site Scripting

An issue was discovered in Dolibarr. It has XSS via the "outgoing email setup" feature in the /admin/mails.php?action=edit URI via the "Send all emails to (instead of real recipients, for test purposes)" field.

Cross-site Scripting

Dolibarr has a stored XSS in a User Profile in a Signature section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.

Cross-site Scripting

Dolibarr has a stored XSS in an Email Template section to mails_templates.php. A user with no privileges can inject script to attack the admin. (This stored XSS can affect all types of user privilege from Admin to users with no permissions.)

Cross-site Scripting

Dolibarr has a stored XSS vulnerability via a User Group Description section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.

Cross-Site Request Forgery (CSRF)

An issue was discovered in Dolibarr. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)

SQL Injection

An issue was discovered in Dolibarr expensereport/card.php in the expense reports module allows SQL injection via the integer parameters qty and value_unit.

SQL Injection

An error-based SQL injection vulnerability in product/card.php in Dolibarr allows remote authenticated users to execute arbitrary SQL commands via the desiredstock parameter.

Cross-site Scripting

A stored cross-site scripting (XSS) vulnerability in Dolibarr allows remote authenticated users to inject arbitrary web script or HTML via the address (POST) or town (POST) parameter to user/card.php.

Cross-site Scripting

A stored cross-site scripting (XSS) vulnerability in Dolibarr allows remote authenticated users to inject arbitrary web script or HTML via the address (POST) or town (POST) parameter to adherents/type.php.

2018

SQL Injection

An SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM allows remote attackers to execute arbitrary SQL commands via the statut parameter.

SQL Injection

An SQL injection vulnerability in product/card.php in Dolibarr allows remote attackers to execute arbitrary SQL commands via the country_id parameter.

SQL Injection

SQL Injection vulnerability in Dolibarr allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy/admin/journals_list.php, /admin/dict.php, /admin/mails_templates.php, or /admin/website.php.

SQL Injection

An SQL injection vulnerability in Dolibarr allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes.

Command Injection

The admin panel in Dolibarr might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file uploads.

SQL Injection

Dolibarr ERP/CRM is affected by multiple SQL injection vulnerabilities via comm/propal/list.php (viewstatut parameter) or comm/propal/list.php (propal_statut parameter, aka search_statut parameter).

2017
2016

Cross-site Scripting

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM allow remote authenticated users to inject arbitrary web script or HTML via the parameters to htdocs/user/card.php.