Shodan
Vulnerabilities
Vulnerable Software
Dolibarr:  Security Vulnerabilities
CVE-2020-11825
In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation.
CVSS Score
8.8
EPSS Score
0.002
Published
2020-04-16
CVE-2019-19212
Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen).
CVSS Score
9.8
EPSS Score
0.011
Published
2020-03-16
CVE-2019-19209
Dolibarr ERP/CRM before 10.0.3 allows SQL Injection.
CVSS Score
7.5
EPSS Score
0.016
Published
2020-03-16
CVE-2019-19210
Dolibarr ERP/CRM before 10.0.3 allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files.
CVSS Score
5.4
EPSS Score
0.006
Published
2020-03-16
CVE-2019-19211
Dolibarr ERP/CRM before 10.0.3 has an Insufficient Filtering issue that can lead to user/card.php XSS.
CVSS Score
6.1
EPSS Score
0.021
Published
2020-03-16
CVE-2020-9016
Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-02-16
CVE-2020-7994
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) name[constname] parameter to the /htdocs/admin/const.php?mainmenu=home page; the (3) note[note] parameter to the /htdocs/admin/dict.php?id=10 page; the (4) zip[MAIN_INFO_SOCIETE_ZIP] or email[mail] parameter to the /htdocs/admin/company.php page; the (5) url[defaulturl], field[defaultkey], or value[defaultvalue] parameter to the /htdocs/admin/defaultvalues.php page; the (6) key[transkey] or key[transvalue] parameter to the /htdocs/admin/translation.php page; or the (7) [main_motd] or [main_home] parameter to the /htdocs/admin/ihm.php page.
CVSS Score
6.1
EPSS Score
0.005
Published
2020-01-26
CVE-2020-7995
The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts.
CVSS Score
9.8
EPSS Score
0.006
Published
2020-01-26
CVE-2020-7996
htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header.
CVSS Score
6.1
EPSS Score
0.004
Published
2020-01-26
CVE-2019-19206
Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to JavaScript execution in an SVG image for a profile picture.
CVSS Score
5.4
EPSS Score
0.007
Published
2019-11-26


Products
Pricing
Contact Us

Shodan ® - All rights reserved